~apw/ubuntu/+source/linux/+git/trusty:CVE-2015-2390

Last commit made on 2015-07-29
Get this branch:
git clone -b CVE-2015-2390 https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty
Only Andy Whitcroft can upload to this branch. If you are Andy Whitcroft please log in for upload directions.

Branch merges

Branch information

Name:
CVE-2015-2390
Repository:
lp:~apw/ubuntu/+source/linux/+git/trusty

Recent commits

f3caf1a... by Andy Lutomirski <email address hidden> on 2015-07-11

x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection

commit 810bc075f78ff2c221536eb3008eac6a492dba2d upstream.

We have a tricky bug in the nested NMI code: if we see RSP pointing
to the NMI stack on NMI entry from kernel mode, we assume that we
are executing a nested NMI.

This isn't quite true. A malicious userspace program can point RSP
at the NMI stack, issue SYSCALL, and arrange for an NMI to happen
while RSP is still pointing at the NMI stack.

Fix it with a sneaky trick. Set DF in the region of code that the RSP
check is intended to detect. IRET will clear DF atomically.

(Note: other than paravirt, there's little need for all this complexity.
 We could check RIP instead of RSP.)

Fixes CVE-2015-3291.

Cc: <email address hidden>
Reviewed-by: Steven Rostedt <email address hidden>
Signed-off-by: Andy Lutomirski <email address hidden>
[bwh: Backported to 4.0: adjust filename, context]
Signed-off-by: Ben Hutchings <email address hidden>
Acked-by: John Johansen <email address hidden>
Acked-by: Andy Whitcroft <email address hidden>
CVE-2015-3291
Signed-off-by: Luis Henriques <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

Some recent commit information could not be fetched.