Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 481358 (CVE-2013-4254) - Kernel : priviledge escalation on ARM/perf (CVE-2013-4254)
Summary: Kernel : priviledge escalation on ARM/perf (CVE-2013-4254)
Status: RESOLVED FIXED
Alias: CVE-2013-4254
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-16 19:35 UTC by Agostino Sarubbo
Modified: 2016-06-30 10:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-16 19:35:53 UTC
From ${URL} :

I have a fuzzer tool for the perf_event_open() syscall that found
a few oopses on the ARM platform, which I reported to lkml a week ago.

One of the oopses can lead to a local privilege escalation on ARM-perf.
This fix can be found here:
  http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1
The discussion thread is:
  https://lkml.org/lkml/2013/8/7/259 

The hope is this appears in 3.11-rc6 but my attempts to get the people at 
security@...r.kernel.org to take this seriously didn't really go very 
well.

I do have code that will exploit the kernel and give me a root shell
on an ARM Pandaboard machine running 3.11-rc4.  The exploit is a bit 
fragile though:
  + Only works on ARM
  + Elevates from normal user to root, no special config required.
    perf_event syscalls run as regular users, not sure why some
    think you need root.
  + It does need a user-mappable address at an exact byte offset
    from a pmu_struct in memory.  This limits things somewhat; in
    my testing 3.11-rc kernels have INT_MIN at exactly the right place 
    but the exploit doesn't work on a 3.7.6 kernel,
    it just oopses or crashes the machine.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 01:01:42 UTC
CVE-2013-4254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4254):
  The validate_event function in arch/arm/kernel/perf_event.c in the Linux
  kernel before 3.10.8 on the ARM platform allows local users to gain
  privileges or cause a denial of service (NULL pointer dereference and system
  crash) by adding a hardware event to an event group led by a software event.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 10:32:02 UTC
<3.10.8 kernel versions are no longer in the tree.