| Summary: | Kernel : priviledge escalation on ARM/perf (CVE-2013-4254) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Kernel | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | kernel |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/08/14/13 | ||
| Whiteboard: | A1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2013-4254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4254): The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event. <3.10.8 kernel versions are no longer in the tree. |
From ${URL} : I have a fuzzer tool for the perf_event_open() syscall that found a few oopses on the ARM platform, which I reported to lkml a week ago. One of the oopses can lead to a local privilege escalation on ARM-perf. This fix can be found here: http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 The discussion thread is: https://lkml.org/lkml/2013/8/7/259 The hope is this appears in 3.11-rc6 but my attempts to get the people at security@...r.kernel.org to take this seriously didn't really go very well. I do have code that will exploit the kernel and give me a root shell on an ARM Pandaboard machine running 3.11-rc4. The exploit is a bit fragile though: + Only works on ARM + Elevates from normal user to root, no special config required. perf_event syscalls run as regular users, not sure why some think you need root. + It does need a user-mappable address at an exact byte offset from a pmu_struct in memory. This limits things somewhat; in my testing 3.11-rc kernels have INT_MIN at exactly the right place but the exploit doesn't work on a 3.7.6 kernel, it just oopses or crashes the machine.