After closer examination, I found out, that the FPU-state handling
errors were not specific to vm86-syscall, also normal 32-bit userspace
code could bring the FPU/CPU into the same state.
Just for fun, I wrote a local-root privilege escalation POC. It
requires mmap_min_addr=0 on modern kernels, which should NOT be the
default, unless you are are using Linux to play DOS-games from the 90'
I tried to do some nice tricks, e.g. use just two kernel-land writes
for privilege escalation: one just adds the value 0xffff0001
(semaphore down_write), the other one changes 4 bytes in
modprobe_path. Hence the POC just contains 12 bytes of binary code.
The POC code with a little more explanation can be found here:
The exact analysis of the kernel bug is not yet complete, currently it
is only proven to work on AMD E-350 processor, both in VirtualBox and
on bare hardware. So if you were lucky to trigger at least an OOPS on
another hardware, I would be interested about it.
PS: It uses the address values from current debian-sid kernel (see
System.map) and runs only on 32bit kernel, so don't ask why it won't
work on your 64-bit RedHat.