Date: Fri, 13 Jul 2012 11:02:14 -0400 From: John Baldwin <jhb@freebsd.org> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: freebsd-hackers@freebsd.org, Bill Crisp <bcrisp@crispernetworks.com> Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3 Message-ID: <201207131102.14379.jhb@freebsd.org> In-Reply-To: <44644.1342190524@critter.freebsd.dk> References: <44644.1342190524@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, July 13, 2012 10:42:04 am Poul-Henning Kamp wrote: > In message <201207130831.59211.jhb@freebsd.org>, John Baldwin writes: > > >Every FreeBSD/amd64 kernel in existent is vulnerable. In truth, my personal > >opinion is that Intel screwed up their implementation of that instruction > >whereas AMD got it right, and we are merely working around Intel's CPU bug. :( > > Given that the instruction set of AMD64 is defined by AMD originally, > while Intel was trying very hard to ram Itanic down everybodys > throat, that diagnosis is a given: Intel copied AMD, and difference > in functionality is a screwup on Intels part, even if they documented > their screwup in their manual. > > TL;DR: Which part of "compatible" doesn't Intel get ? In this case, I believe they were just lazy and reused some existing block to manage this exception case without properly thinking through the security implications of using a user-supplied stack pointer to handle a fault. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207131102.14379.jhb>