oss-sec mailing list archives

CVE request -- Linux kernel: x86/msr: /dev/cpu/*/msr local privilege escalation

From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 7 Feb 2013 11:55:19 +0100

Access to /dev/cpu/*/msr was protected only using filesystem checks. A
local uid 0 (root) user with all capabilities dropped could use this
flaw to execute arbitrary code in kernel mode.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=c903f0456bc69176912dee6dd25c6a66ee1aed00

References:
https://bugzilla.redhat.com/show_bug.cgi?id=908693
http://grsecurity.net/~spender/msr32.c

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE request -- Linux kernel: x86/msr: /dev/cpu/*/msr local privilege escalation Petr Matousek (Feb 07)
- Re: CVE request -- Linux kernel: x86/msr: /dev/cpu/*/msr local privilege escalation Kurt Seifried (Feb 07)