CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and
FreeBSD 6.2/6.3
John Baldwin
jhb at freebsd.org
Fri Jul 13 15:09:16 UTC 2012
On Friday, July 13, 2012 10:42:04 am Poul-Henning Kamp wrote:
> In message <201207130831.59211.jhb at freebsd.org>, John Baldwin writes:
>
> >Every FreeBSD/amd64 kernel in existent is vulnerable. In truth, my
personal
> >opinion is that Intel screwed up their implementation of that instruction
> >whereas AMD got it right, and we are merely working around Intel's CPU bug.
:(
>
> Given that the instruction set of AMD64 is defined by AMD originally,
> while Intel was trying very hard to ram Itanic down everybodys
> throat, that diagnosis is a given: Intel copied AMD, and difference
> in functionality is a screwup on Intels part, even if they documented
> their screwup in their manual.
>
> TL;DR: Which part of "compatible" doesn't Intel get ?
In this case, I believe they were just lazy and reused some existing block to
manage this exception case without properly thinking through the security
implications of using a user-supplied stack pointer to handle a fault.
--
John Baldwin
More information about the freebsd-hackers
mailing list