Vigil@nce - Linux kernel: privilege escalation via TLB synchronization between processors
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a synchronization error of processor’ TLB
in the Linux kernel, in order to escalate his privileges.
– Impacted products: Linux.
– Severity: 1/4.
– Creation date: 25/01/2016.
DESCRIPTION OF THE VULNERABILITY
The x86 processors include a cache of the page table, which must
be shared by all processors.
The Linux kernel implements a specific protocol to spread changes
to the page table into all the processors’ cache. However, there
is an error in this protocol and a consequence is that there may
be a sequence of instructions and hardware interrupts that grant
access to a memory area which should be unreachable.
An attacker can therefore trigger a synchronization error of
processor’ TLB in the Linux kernel, in order to escalate his
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN