From ${URL} : I have a fuzzer tool for the perf_event_open() syscall that found a few oopses on the ARM platform, which I reported to lkml a week ago. One of the oopses can lead to a local privilege escalation on ARM-perf. This fix can be found here: http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 The discussion thread is: https://lkml.org/lkml/2013/8/7/259 The hope is this appears in 3.11-rc6 but my attempts to get the people at security@...r.kernel.org to take this seriously didn't really go very well. I do have code that will exploit the kernel and give me a root shell on an ARM Pandaboard machine running 3.11-rc4. The exploit is a bit fragile though: + Only works on ARM + Elevates from normal user to root, no special config required. perf_event syscalls run as regular users, not sure why some think you need root. + It does need a user-mappable address at an exact byte offset from a pmu_struct in memory. This limits things somewhat; in my testing 3.11-rc kernels have INT_MIN at exactly the right place but the exploit doesn't work on a 3.7.6 kernel, it just oopses or crashes the machine.
CVE-2013-4254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4254): The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event.
<3.10.8 kernel versions are no longer in the tree.