oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: More perf security fixes

From: Marcus Meissner <meissner () suse de>
Date: Tue, 4 Jun 2013 17:53:16 +0200
Hi,

The perf kernel folks seem to have fixed some more perf issues which have not yet got CVEs.

Our partner Intel thinks that these 3 are security relevant, so we think
they also need seperate CVEs.

I only glanced what the issue is, please correct if my classification is wrong..

1. Info leak (?) via PERF_SAMPLE_BRANCH_KERNEL

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7cc23cd6c0c7d7f4bee057607e7ce01568925717

commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717
Author: Peter Zijlstra <a.p.zijlstra () chello nl>
Date:   Fri May 3 14:11:25 2013 +0200

    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL

    We should always have proper privileges when requesting kernel
    data.

    Signed-off-by: Peter Zijlstra <a.p.zijlstra () chello nl>
    Cc: <stable () kernel org>
    Cc: Andi Kleen <ak () linux intel com>
    Cc: eranian () google com
    Link: http://lkml.kernel.org/r/20130503121256.230745028 () chello nl
    [ Fix build error reported by fengguang.wu () intel com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo () kernel org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili () git kernel org


2. Denial of service (system crash)

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f1923820c447e986a9da0fc6bf60c1dccdf0408e

commit f1923820c447e986a9da0fc6bf60c1dccdf0408e
Author: Stephane Eranian <eranian () google com>
Date:   Tue Apr 16 13:51:43 2013 +0200

    perf/x86: Fix offcore_rsp valid mask for SNB/IVB
    
    The valid mask for both offcore_response_0 and
    offcore_response_1 was wrong for SNB/SNB-EP,
    IVB/IVB-EP. It was possible to write to
    reserved bit and cause a GP fault crashing
    the kernel.
    
    This patch fixes the problem by correctly marking the
    reserved bits in the valid mask for all the processors
    mentioned above.
    
    A distinction between desktop and server parts is introduced
    because bits 24-30 are only available on the server parts.
    
    This version of the  patch is just a rebase to perf/urgent tree
    and should apply to older kernels as well.
    
    Signed-off-by: Stephane Eranian <eranian () google com>
    Cc: peterz () infradead org
    Cc: jolsa () redhat com
    Cc: gregkh () linuxfoundation org
    Cc: security () kernel org
    Cc: ak () linux intel com
    Signed-off-by: Ingo Molnar <mingo () kernel org>


3. Information leak (??) via perf LBR filter 

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e15eb3ba6c0249c9e8c783517d131b47db995ca

commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca
Author: Peter Zijlstra <a.p.zijlstra () chello nl>
Date:   Fri May 3 14:11:24 2013 +0200

    perf/x86/intel/lbr: Fix LBR filter
    
    The LBR 'from' adddress is under full userspace control; ensure
    we validate it before reading from it.
    
    Note: is_module_text_address() can potentially be quite
    expensive; for those running into that with high overhead
    in modules optimize it using an RCU backed rb-tree.
    
    Reported-by: Andi Kleen <ak () linux intel com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra () chello nl>
    Cc: <stable () kernel org>
    Cc: eranian () google com
    Link: http://lkml.kernel.org/r/20130503121256.158211806 () chello nl
    Signed-off-by: Ingo Molnar <mingo () kernel org>
    Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q () git kernel org
Previous By Date Next
Previous By Thread Next

Current thread: