Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.10.1412261914220.28221@wniryva.cad.erqung.pbz>
Date: Fri, 26 Dec 2014 19:19:27 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
cc: Andy Lutomirski <luto@...capital.net>
Subject: Re: CVE Request: Linux x86_64 userspace address
 leak

+-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
| On all* Linux x86_64 kernels, malicious user programs can learn the
| TLS base addresses of threads** that they preempt.
| 
| In principle, this bug will allow programs to partially bypass ASLR
| when attacking other user programs.  Figuring out how to adapt the
| test code to do that is left as an exercise to the reader.
| 
| https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
| 
| ** The attack won't work against 64-bit threads with TLS bases > 4GB,
| but AFAIK that's unusual.

  It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64 Fedora/RHEL 
kernels, it says:

===
$ cat /etc/redhat-release 
Fedora release 21 (Twenty One)
$ 
$ cc -xc -o estest estest.c 
$ cc -xc -o gsbasetest gsbasetest.c 
$ 
$ ./estest 
estest: set_thread_area: Function not implemented
$ 
$ ./gsbasetest 
[OK]    ARCH_SET_GS worked
[OK]    Writing 0 to gs worked
[FAIL]  gsbase was corrupted
$
===

--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.