Discussion:
CVE-2012-0217: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware
(too old to reply)
bj.perso
2012-06-13 06:57:00 UTC
Permalink
Philip Guenther
2012-06-13 07:54:02 UTC
Permalink
FreeBSD and NetBSD seem affected, how about OpenBSD ?
Nope. The necessary check(s) for setting bogus return addresses has been
in place since, uh, 2004. Ditto for always returning from signal handlers
using iretq instead of sysretq.


Philip Guenthet
Philip Guenther
2012-06-18 18:34:48 UTC
Permalink
FreeBSD and NetBSD seem affected, how about OpenBSD ?
Nope.  The necessary check(s) for setting bogus return addresses has been
in
place since, uh, 2004.  Ditto for always returning from signal handlers
using iretq instead of sysretq.
To correct and clarify: while the "bogus return address" checks date
back to 2004, the return from signal handler path wasn't *forced* to
use iretq until OpenBSD 5.0. Previous versions used iretq normally,
but manually written code could force it to use sysretq and trigger
this issue.

(Thank you to Rafal Wojtczuk for the original discussion and for
catching my misleading note above.)


So, if you're still running and64 OpenBSD 4.9 or earlier on Intel
hardware, you need to upgrade.

(Thanks, Intel, for screwing this up.)


Philip Guenther

Loading...