oss-sec mailing list archives
Re: CVE Request: linux-kernel priviledge escalation on ARM/perf
From: Vince Weaver <vincent.weaver () maine edu>
Date: Tue, 20 Aug 2013 13:47:38 -0400 (EDT)
On Wed, 14 Aug 2013, Vince Weaver wrote:
One of the oopses can lead to a local privilege escalation on ARM-perf. This fix can be found here: http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 The discussion thread is: https://lkml.org/lkml/2013/8/7/259
More info on this ( CVE-2013-4254 )
The fix has been committed to linus-git and will be in 3.11-rc6:
c95eb3184ea1a3a2551df57190c81da695e2144b
It is also in the recent 3.10.8 stable release.
I've been doing further tests on this exploit, and it turns out it
is very hard to exploit; it depends on having a very exact kernel
memory layout with a user-mappable address at exactly the right place.
Thus despite the vulnerability being there from 3.2 through 3.11-rc6 I've
only been able to exploit it on 3.11-rc kernels, which probably limits the
exposure from this bug (it does oops on all kernels, but doesn't call
into user code exept on 3.11-rc1 and newer).
Since the bug is now fixed and the exploit seems unlikely to trigger on
non-3.11-rc kernels, I've released my code describing the issue in more
detail.
See my perf_event_tests package:
https://github.com/deater/perf_event_tests
A simple test for the bug can be found under:
crashes/arm_validate_event_oops.c
And the exploit (with details in the source code comments) is here:
exploits/arm_perf_exploit.c
Vince
Current thread:
- CVE Request: linux-kernel priviledge escalation on ARM/perf Vince Weaver (Aug 14)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Petr Matousek (Aug 16)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Kurt Seifried (Aug 16)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Vince Weaver (Aug 20)
- Re: CVE Request: linux-kernel priviledge escalation on ARM/perf Petr Matousek (Aug 16)