[v2.6] kernel: LDT handling bugs (CVE-2014-9090)
The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.10.62 and 3.14.26 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.
References:
CONFIRM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090
COMMIT (upstream):
https://github.com/torvalds/linux/commit/6f442be2fb22be02cafa606f1769fa1e6f894441
COMMIT (3.10.y):
https://github.com/torvalds/linux/commit/fd5683d05ef451c15c24b30050bcd7d14bc50a1d
COMMIT (3.14.y):
https://github.com/torvalds/linux/commit/c6328855c41c28b2a53c7c6821af60dd3b41ddba
CONFIRM: http://seclists.org/oss-sec/2014/q4/803
(from redmine: issue id 3744, created on 2015-01-26, closed on 2017-09-05)
- Relations:
- parent #3743