A flaw was found in the way Linux kernel's nested NMI handler and espfix64 functionalities interacted during NMI processing.
A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
Red Hat would like to thank Andy Lutomirski for reporting this issue.
In order to exploit this issue non-root (non-privileged) user needs to make the Linux kernel's NMI handler perform an iret instruction, which re-enables NMIs and thus the nested NMI code path in the NMI handler is exercised.
To our knowledge, an unprivileged local user can do that since upstream commit https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e00b12e64be9a34ef071de7b6052ca9ea29dd460.
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 since they did not backport the nested NMI handler and espfix64 functionalities.
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 since they did not backport the espfix64 functionality and also did not backport upstream commit e00b12e64be9a3 that allowed an unprivileged local user to re-enable NMIs from the NMI handler.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1245936]