It was found that because paranoid entry does not contain the swapgs fixup for bad_iret (unlike error entry), under certain conditions (#SS on iret) it can happen that bad_iret is reached with usergs instead of kernelgs that it is expecting. A local unprivileged user can use this flaw to increase their privileges on the system. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6f442be2fb22be02cafa606f1769fa1e6f894441 Acknowledgements: Red Hat would like to thank Andy Lutomirski for reporting this issue.
Statement: This issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7, and Red Hat Enterprise MRG 2. Future Linux kernel updates for the respective releases will address this issue.
Fedora included the patch for this issue as part of the CVE-2014-9090 fix and the impact was limited to local DoS due to the espfix64 functionality.
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2014:1998 https://rhn.redhat.com/errata/RHSA-2014-1998.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1997 https://rhn.redhat.com/errata/RHSA-2014-1997.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:2008 https://rhn.redhat.com/errata/RHSA-2014-2008.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2014:2009 https://rhn.redhat.com/errata/RHSA-2014-2009.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:2010 https://rhn.redhat.com/errata/RHSA-2014-2010.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 AUS Via RHSA-2014:2028 https://rhn.redhat.com/errata/RHSA-2014-2028.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Via RHSA-2014:2031 https://rhn.redhat.com/errata/RHSA-2014-2031.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.9 EUS - Server Only Via RHSA-2014:2029 https://rhn.redhat.com/errata/RHSA-2014-2029.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:2030 https://rhn.redhat.com/errata/RHSA-2014-2030.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2015:0009 https://rhn.redhat.com/errata/RHSA-2015-0009.html
Detailed analysis of this issue has been posted on oss-sec: http://seclists.org/oss-sec/2015/q3/25