Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Jun 2013 17:53:16 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: a.p.zijlstra@...llo.nl, eranian@...gle.com, ak@...ux.intel.com,
	security@...nel.org
Subject: CVE Request: More perf security fixes

Hi,

The perf kernel folks seem to have fixed some more perf issues which have not yet got CVEs.

Our partner Intel thinks that these 3 are security relevant, so we think
they also need seperate CVEs.

I only glanced what the issue is, please correct if my classification is wrong..

1. Info leak (?) via PERF_SAMPLE_BRANCH_KERNEL

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7cc23cd6c0c7d7f4bee057607e7ce01568925717

commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717
Author: Peter Zijlstra <a.p.zijlstra@...llo.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL

    We should always have proper privileges when requesting kernel
    data.

    Signed-off-by: Peter Zijlstra <a.p.zijlstra@...llo.nl>
    Cc: <stable@...nel.org>
    Cc: Andi Kleen <ak@...ux.intel.com>
    Cc: eranian@...gle.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@...el.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@...nel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org


2. Denial of service (system crash)

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f1923820c447e986a9da0fc6bf60c1dccdf0408e

commit f1923820c447e986a9da0fc6bf60c1dccdf0408e
Author: Stephane Eranian <eranian@...gle.com>
Date:   Tue Apr 16 13:51:43 2013 +0200

    perf/x86: Fix offcore_rsp valid mask for SNB/IVB
    
    The valid mask for both offcore_response_0 and
    offcore_response_1 was wrong for SNB/SNB-EP,
    IVB/IVB-EP. It was possible to write to
    reserved bit and cause a GP fault crashing
    the kernel.
    
    This patch fixes the problem by correctly marking the
    reserved bits in the valid mask for all the processors
    mentioned above.
    
    A distinction between desktop and server parts is introduced
    because bits 24-30 are only available on the server parts.
    
    This version of the  patch is just a rebase to perf/urgent tree
    and should apply to older kernels as well.
    
    Signed-off-by: Stephane Eranian <eranian@...gle.com>
    Cc: peterz@...radead.org
    Cc: jolsa@...hat.com
    Cc: gregkh@...uxfoundation.org
    Cc: security@...nel.org
    Cc: ak@...ux.intel.com
    Signed-off-by: Ingo Molnar <mingo@...nel.org>


3. Information leak (??) via perf LBR filter 

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e15eb3ba6c0249c9e8c783517d131b47db995ca

commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca
Author: Peter Zijlstra <a.p.zijlstra@...llo.nl>
Date:   Fri May 3 14:11:24 2013 +0200

    perf/x86/intel/lbr: Fix LBR filter
    
    The LBR 'from' adddress is under full userspace control; ensure
    we validate it before reading from it.
    
    Note: is_module_text_address() can potentially be quite
    expensive; for those running into that with high overhead
    in modules optimize it using an RCU backed rb-tree.
    
    Reported-by: Andi Kleen <ak@...ux.intel.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@...llo.nl>
    Cc: <stable@...nel.org>
    Cc: eranian@...gle.com
    Link: http://lkml.kernel.org/r/20130503121256.158211806@chello.nl
    Signed-off-by: Ingo Molnar <mingo@...nel.org>
    Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.