Bug 469854 (CVE-2013-2094)

Summary:	Kernel: perf_swevent_enabled array out-of-bound access (CVE-2013-2094)
Product:	Gentoo Security	Reporter:	Tom Wijsman (TomWij) (RETIRED) <tomwij>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexander, blueness, hardened, kernel, kfm, randy
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f
See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=962792
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	469956, 522930
Bug Blocks:

Description Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-05-14 16:28:55 UTC

Upstream fix in "URL" mentions:

> Trinity discovered that we fail to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy().

RedHat bug in "See Also" mentions:

> A local unprivileged user can use this flaw to increase their privileges on the system.

Introduced in:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b0a873ebbf87bf38bf70b5e39a7cadc96099fa13

References:

http://lkml.indiana.edu/hypermail/linux/kernel/1304.1/03652.html
https://news.ycombinator.com/item?id=5703758
http://packetstormsecurity.com/files/121616/semtex.c

Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-05-14 17:13:26 UTC

Fix is present in the following kernels:

 # git tag --contains 8176cced706b5e5d15887584150764894e94e02f
v3.9
v3.9-rc8
v3.9.1
v3.9.2

 # git tag --contains ff91fd5bc105f29a34755a6dd6d547c877b7d027
v3.8.10
v3.8.11
v3.8.12
v3.8.13
v3.8.9

 # git tag --contains da307d100cd4979e353e8265d0691263aa2a0086
v3.4.42
v3.4.43
v3.4.44
v3.4.45

 # git tag --contains 3fc8fc1cc2d585c1f695f7de914063258aafe50e
v3.2.45

 # git tag --contains 456edf57d7a6fe1b238ec708b19063d78cf4b250
v3.0.75
v3.0.76
v3.0.77
v3.0.78

Immediate actions which I will take for sys-kernel/gentoo-sources within minutes:

- Removal of affected v3.0.74, v3.2.41, v3.2.42, v3.2.43, v3.2.44, v3.4.34, v3.4.41, v3.6.11-r1, v3.6.11-r2.

- Addition of v3.2.45.

Delayed actions which will be taken for sys-kernel/gentoo-sources:

- Removal of v3.7.10, v3.7.10-r1 once v3.8.13 has been stabilized.

Comment 2 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-05-14 17:41:05 UTC

+  14 May 2013; Tom Wijsman <TomWij@gentoo.org> ChangeLog
+  -gentoo-sources-3.0.74.ebuild, -gentoo-sources-3.2.41.ebuild,
+  -gentoo-sources-3.2.42.ebuild, -gentoo-sources-3.2.43.ebuild,
+  -gentoo-sources-3.2.44.ebuild, +gentoo-sources-3.2.45.ebuild,
+  -gentoo-sources-3.4.34.ebuild, -gentoo-sources-3.4.41.ebuild,
+  -gentoo-sources-3.6.11-r1.ebuild, -gentoo-sources-3.6.11-r2.ebuild, Metadata
+  Linux patch 3.2.45. Removal of affected versions 3.0.74, 3.2.41, 3.2.42,
+  3.2.43, 3.2.44, 3.4.34, 3.4.41, 3.6.11-r1, 3.6.11-r2; see bug #469854.

Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-06-22 12:07:50 UTC

+  22 Jun 2013; Tom Wijsman <TomWij@gentoo.org> +gentoo-sources-3.7.10-r1.ebuild,
+  -gentoo-sources-3.7.10.ebuild, metadata.xml:
+  Revision bump. Applied security patch to 3.7.10 such that the root exploit is
+  no longer present on the remaining arches, which have not responded to
+  stabilization in a long time, directly to stable as the patches involved are
+  stable; as per the decision in bug #338739 comment 44.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-30 00:53:23 UTC

All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix.

sys-kernel/gentoo-sources-3.4.x is currently being stabilized in bug 522930.

Comment 5 NATTkA bot gentoo-dev

2020-04-10 08:32:45 UTC

Unable to check for sanity:

> no match for package: =sys-kernel/gentoo-sources-3.4.113

Comment 6 Yury German Gentoo Infrastructure

2020-04-10 21:19:38 UTC

THe 3.X is no longer in tree. 

Closing Bug.