[v2.7] kernel: espfix: multiple issues (CVE-2014-8133, CVE-2014-8134)
CVE-2014-8133: tls: espfix bypass using set_thread_area
A valid 16-bit stack segment can be created using set_thread_area.
Arranging to return to such a stack segment will bypass espfix, leaking
bits 31:16 of the kernel stack pointer.
Fixed in 3.14.28 and 3.10.64.
CONFIRM:
https://github.com/torvalds/linux/commit/aeb83c03a8f584ce0b9386761c22f145caced232
http://seclists.org/oss-sec/2015/q1/388
UPSTREAM:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=41bdc78544b8a93a9c6814b8bbbfef966272abbe
3.14.y:
https://github.com/torvalds/linux/commit/aeb83c03a8f584ce0b9386761c22f145caced232
3.10.y:
https://github.com/torvalds/linux/commit/359d2d755e1924fc7231d8423696a7365eccd3e1
CVE-2014-8134: espfix was broken on 32-bit KVM paravirt guests
espfix was completely broken on 32-bit Linux KVM guests with
CONFIG_KVM_GUEST=y.
Fixed in 3.14.28 and 3.10.64.
References:
http://seclists.org/oss-sec/2015/q1/388
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?h=linux-next&id=29fa6825463c97e5157284db80107d1bfac5d77b
UPSTREAM:
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?h=linux-next&id=29fa6825463c97e5157284db80107d1bfac5d77b
3.14.y:
https://github.com/torvalds/linux/commit/c06c656494797804aa7f603df37208b61792d0d1
3.10.y:
https://github.com/torvalds/linux/commit/9d2b6132e6963ccdfb15a4570984382425b96529
Testing:
CVE-2014-8133 and CVE-2014-8134 can be tested by sigreturn_32,
available here:
Save your data before running this on a production system. If you a vulnerable the test could crash your system. The espfix issues will cause warnings and failures that mention register mismatches.
—
Reported by Andy Lutomirski
AMA Capital Management, LLC
(from redmine: issue id 4032, created on 2015-04-06, closed on 2017-09-05)
- Relations:
- parent #4030