oss-sec mailing list archives
Re: CVE Request: linux-kernel priviledge escalation on ARM/perf
From: Vince Weaver <vincent.weaver () maine edu>
Date: Tue, 20 Aug 2013 13:47:38 -0400 (EDT)
On Wed, 14 Aug 2013, Vince Weaver wrote:
One of the oopses can lead to a local privilege escalation on ARM-perf. This fix can be found here: http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 The discussion thread is: https://lkml.org/lkml/2013/8/7/259
More info on this ( CVE-2013-4254 ) The fix has been committed to linus-git and will be in 3.11-rc6: c95eb3184ea1a3a2551df57190c81da695e2144b It is also in the recent 3.10.8 stable release. I've been doing further tests on this exploit, and it turns out it is very hard to exploit; it depends on having a very exact kernel memory layout with a user-mappable address at exactly the right place. Thus despite the vulnerability being there from 3.2 through 3.11-rc6 I've only been able to exploit it on 3.11-rc kernels, which probably limits the exposure from this bug (it does oops on all kernels, but doesn't call into user code exept on 3.11-rc1 and newer). Since the bug is now fixed and the exploit seems unlikely to trigger on non-3.11-rc kernels, I've released my code describing the issue in more detail. See my perf_event_tests package: https://github.com/deater/perf_event_tests A simple test for the bug can be found under: crashes/arm_validate_event_oops.c And the exploit (with details in the source code comments) is here: exploits/arm_perf_exploit.c Vince
Current thread:
- CVE Request: linux-kernel priviledge escalation on ARM/perf Vince Weaver (Aug 14)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Petr Matousek (Aug 16)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Kurt Seifried (Aug 16)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Vince Weaver (Aug 20)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Petr Matousek (Aug 16)