FreeBSD -- amd64 swapgs local privilege escalation

2008-09-03T00:00:00
ID 6D4E4759-7B67-11DD-80BA-000BCDF0A03B
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00

Description

Problem Description: If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. Impact: A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions. Workaround: No workaround is available, but only systems running the 64 bit FreeBSD/amd64 kernels are vulnerable. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable.