Description

arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=41bdc78544b8a93a9c6814b8bbbfef966272abbe

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html

http://rhn.redhat.com/errata/RHSA-2015-1272.html

http://secunia.com/advisories/62801

http://www.debian.org/security/2015/dsa-3128

http://www.mandriva.com/security/advisories?name=MDVSA-2015:058

http://www.openwall.com/lists/oss-security/2014/12/15/6

http://www.securityfocus.com/bid/71684

http://www.ubuntu.com/usn/USN-2490-1

http://www.ubuntu.com/usn/USN-2491-1

http://www.ubuntu.com/usn/USN-2492-1

http://www.ubuntu.com/usn/USN-2493-1

http://www.ubuntu.com/usn/USN-2515-1

http://www.ubuntu.com/usn/USN-2516-1

http://www.ubuntu.com/usn/USN-2517-1

http://www.ubuntu.com/usn/USN-2518-1

https://bugzilla.redhat.com/show_bug.cgi?id=1172797

https://github.com/torvalds/linux/commit/41bdc78544b8a93a9c6814b8bbbfef966272abbe

Details

Risk Information

CVSS v2