Date: Fri, 16 Aug 2013 13:07:49 +0200 From: Petr Matousek <pmatouse@...hat.com> To: oss-security@...ts.openwall.com, Kurt Seifried <kseifrie@...hat.com> Subject: Re: CVE Request: linux-kernel priviledge escalation on ARM/perf On Wed, Aug 14, 2013 at 05:37:32PM -0400, Vince Weaver wrote: > Hello > > I'm not really a security researcher, so hopefully I'm reporting this in > the proper way. Thank you for the report, Vince. I think that it is completely fine -) > I have a fuzzer tool for the perf_event_open() syscall that found > a few oopses on the ARM platform, which I reported to lkml a week ago. > > One of the oopses can lead to a local privilege escalation on ARM-perf. > This fix can be found here: > http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 > The discussion thread is: > https://lkml.org/lkml/2013/8/7/259 > > The hope is this appears in 3.11-rc6 but my attempts to get the people at > security@...r.kernel.org to take this seriously didn't really go very > well. > > I do have code that will exploit the kernel and give me a root shell > on an ARM Pandaboard machine running 3.11-rc4. The exploit is a bit > fragile though: > + Only works on ARM > + Elevates from normal user to root, no special config required. > perf_event syscalls run as regular users, not sure why some > think you need root. > + It does need a user-mappable address at an exact byte offset > from a pmu_struct in memory. This limits things somewhat; in > my testing 3.11-rc kernels have INT_MIN at exactly the right place > but the exploit doesn't work on a 3.7.6 kernel, > it just oopses or crashes the machine. This looks valid to me. Unless someone has any objections, can you please Kurt assign CVE to this issue? Thanks, -- Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ