It was found that espfix funcionality (when returning to userspace with a 16 bit stack, the CPU will not restore the high word of esp for us on executing iret and thus potentially leaks kernel addresses; espfix fixes this) does not work for 32-bit KVM paravirt guests. A local unprivileged user could potentially use this flaw to leak kernel stack addresses. Proposed upstream patch: http://www.spinics.net/lists/kvm/msg111458.html Acknowledgements: Red Hat would like to thank Andy Lutomirski for reporting this issue.
Statement: This issue did not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 7, and Red Hat Enterprise Linux MRG 2.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1172769]
Upstream patch: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?h=linux-next&id=29fa6825463c97e5157284db80107d1bfac5d77b
kernel-3.17.7-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.17.7-300.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.14.27-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html