FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Local privilege escalation in IRET handler

Affected packages
10.1 <= FreeBSD-kernel < 10.1_19
9.3 <= FreeBSD-kernel < 9.3_24


VuXML ID 0dfa5dde-600a-11e6-a6c3-14dae9d210b8
Discovery 2015-08-25
Entry 2016-08-11

Problem Description:

If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.


By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system.


CVE Name CVE-2015-5675
FreeBSD Advisory SA-15:21.amd64