This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

A local attacker can use ptrace, SYSRET and RIP on a Linux kernel
installed on x86_64, in order to escalate his privileges.

Impacted products : Debian, Fedora, Linux, SUSE Linux Enterprise
Desktop, SLES, Ubuntu

Severity : 2/4

Creation date : 07/07/2014

Revision date : 09/07/2014

DESCRIPTION OF THE VULNERABILITY

The ptrace() function is used to monitor the execution of a
process.

The SYSCALL/SYSRET assembler instruction is used to manage the
enter and the return from a system call.

The RIP 64 bit register indicates the instruction pointer (the
address which contains the code to execute).

However, an attacker can use ptrace, with SYSRET and RIP 64, in
order to modify the processor state.

A local attacker can therefore use ptrace, SYSRET and RIP on a
Linux kernel installed on x86_64, in order to escalate his
privileges.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-ptrace-SYSRET-RIP-14994