Vigil@nce - Linux kernel: bypassing ASLR via __switch_to
December 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can manipulate threads on the Linux kernel, in
order to bypass ASLR.
Impacted products: Linux
Severity: 1/4
Creation date: 19/12/2014
DESCRIPTION OF THE VULNERABILITY
The Linux kernel uses ASLR in order to randomize memory addresses
used by programs and libraries.
The __switch_to() function of the arch/x86/kernel/process_64.c
file manages thread switching operations. However, an attacker can
obtain the base address of a TLS (Thread Local Storage).
A local attacker can therefore manipulate threads on the Linux
kernel, in order to bypass ASLR.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-switch-to-15852