CVE-2012-0217: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

Discussion:

(too old to reply)

bj.perso

2012-06-13 06:57:00 UTC

Hello,

FreeBSD and NetBSD seem affected, how about OpenBSD ?

Bye,

ben.

___________________________________________________________
Trouvez des idées cadeaux pour la fête des pères sur Voila.fr
http://shopping.voila.fr/vitrine/hi-fi-photo-video

Philip Guenther

2012-06-13 07:54:02 UTC

Permalink

Post by bj.perso
FreeBSD and NetBSD seem affected, how about OpenBSD ?

Nope. The necessary check(s) for setting bogus return addresses has been
in place since, uh, 2004. Ditto for always returning from signal handlers
using iretq instead of sysretq.

Philip Guenthet

Philip Guenther

2012-06-18 18:34:48 UTC

Permalink

Post by bj.perso
FreeBSD and NetBSD seem affected, how about OpenBSD ?

Nope. The necessary check(s) for setting bogus return addresses has been

place since, uh, 2004. Ditto for always returning from signal handlers
using iretq instead of sysretq.

To correct and clarify: while the "bogus return address" checks date
back to 2004, the return from signal handler path wasn't *forced* to
use iretq until OpenBSD 5.0. Previous versions used iretq normally,
but manually written code could force it to use sysretq and trigger
this issue.

(Thank you to Rafal Wojtczuk for the original discussion and for
catching my misleading note above.)

So, if you're still running and64 OpenBSD 4.9 or earlier on Intel
hardware, you need to upgrade.

(Thanks, Intel, for screwing this up.)

Philip Guenther