From owner-freebsd-bugs@freebsd.org  Fri Sep 23 13:00:18 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B044BBE690E
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Fri, 23 Sep 2016 13:00:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A0670BFE
 for <freebsd-bugs@FreeBSD.org>; Fri, 23 Sep 2016 13:00:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u8ND0Hj0098052
 for <freebsd-bugs@FreeBSD.org>; Fri, 23 Sep 2016 13:00:18 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 212708] aio cross-process memory corruption
Date: Fri, 23 Sep 2016 13:00:14 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: slw@zxy.spb.ru
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-212708-8-xJV83ou5XX@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-212708-8@https.bugs.freebsd.org/bugzilla/>
References: <bug-212708-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 13:00:18 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212708

--- Comment #3 from slw@zxy.spb.ru ---
(In reply to op from comment #1)

As far as I understand patch and comments by kib@, this issuse may be
exploitable and used as vulnerability on any x86 CPU w/o INVPCID instructio=
n.
For exploit attacker needs

1) Runs binary and starts AIO read from prepared file (AIO is enabled by
default in GENERIC kernel)
2) Forces context switch to target process near by executing
vmspace_switch_aio() (sending some network traffic to daemon: open ssh
connection, for example)

This may be repeated as many times as needed for success.
It looks exploitable cross-jail and may be cross-vm (not sure)

Committable fix from kib@
https://lists.freebsd.org/pipermail/freebsd-stable/2016-September/085705.ht=
ml

--=20
You are receiving this mail because:
You are the assignee for the bug.=