** Description changed: - Don't allow ptrace to set RIP to a value that couldn't happen by - ordinary control flow. There are CPU bugs^Wfeatures that can have - interesting effects if RIP is non-canonical. I didn't make the - corresponding x86_32 change, since x86_32 has no concept of canonical - addresses. putreg32 doesn't need this fix: value is only 32 bits, so it - can't be non-canonical. + The Linux kernel before 3.15.4 on Intel processors does not properly + restrict use of a non-canonical value for the saved RIP address in the + case of a system call that does not use IRET, which allows local users + to leverage a race condition and gain privileges, or cause a denial of + service (double fault), via a crafted application that makes ptrace and + fork system calls. Break-Fix: 427abfa28afedffadfca9dd8b067eb6d36bac53f b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1337339 Title: x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1337339/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
