oss-sec mailing list archives
Re: CVE Request: Linux mishandles int80 fork from 64-bit tasks
From: cve-assign () mitre org
Date: Thu, 2 Apr 2015 13:53:56 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There's another problem, though: setup_thread_stack would propagate TS_COMPAT (i.e. the indication that the task is in a 32-bit syscall) to the child, and nothing would clear that bit. This violates a general invariant that tasks executing in user mode never have TS_COMPAT set.
As a result, both seccomp and audit could misinterpret the offending syscall, with possibly dangerous results depending on configuration. I suspect that this could be used to break out of certain seccomp sandboxes on kernels older than 3.16.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=956421fbb74c3a6261903f3836c0740187cf038b
Use CVE-2015-2830. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVHYHRAAoJEKllVAevmvmsrvYIAKBD7+M0GS8PStp23ejjfU+b yUBKc5dN1ew+wnSJlV87kBbYpXrRSgzqf5YuYNZOHesFDT230c5Gh8WBSQ/8qOJr sB49vuigHBARO095BN2yMuYz3j4peVtT0GAZwg6VudnmezqSfeSUUEY6s2n66Htw AstvNy+iL/FImw5R1k5RZwB0wwmxo+/vSHguDX0O2jzqynrNPrVi7H54H+WrTptR tZc+eDrZOLUR2VgjArh/xEGq97iEzUworsXhunn7jBQne0wDIAv+ejTVI6c9Ju+8 zUYdWBNdq3x+uQ36bpz54KuDwchVvMSiAQOtcFgZic9QB9NheArzSf5B7M+nJmE= =KUII -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Linux mishandles int80 fork from 64-bit tasks Andrew Lutomirski (Apr 01)
- Re: CVE Request: Linux mishandles int80 fork from 64-bit tasks cve-assign (Apr 02)