Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Aug 2013 13:07:49 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com, Kurt Seifried <kseifrie@...hat.com>
Subject: Re: CVE Request: linux-kernel priviledge escalation
 on ARM/perf

On Wed, Aug 14, 2013 at 05:37:32PM -0400, Vince Weaver wrote:
> Hello
> 
> I'm not really a security researcher, so hopefully I'm reporting this in 
> the proper way.

Thank you for the report, Vince. I think that it is completely fine -)

> I have a fuzzer tool for the perf_event_open() syscall that found
> a few oopses on the ARM platform, which I reported to lkml a week ago.
> 
> One of the oopses can lead to a local privilege escalation on ARM-perf.
> This fix can be found here:
>   http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1
> The discussion thread is:
>   https://lkml.org/lkml/2013/8/7/259 
> 
> The hope is this appears in 3.11-rc6 but my attempts to get the people at 
> security@...r.kernel.org to take this seriously didn't really go very 
> well.
> 
> I do have code that will exploit the kernel and give me a root shell
> on an ARM Pandaboard machine running 3.11-rc4.  The exploit is a bit 
> fragile though:
>   + Only works on ARM
>   + Elevates from normal user to root, no special config required.
>     perf_event syscalls run as regular users, not sure why some
>     think you need root.
>   + It does need a user-mappable address at an exact byte offset
>     from a pmu_struct in memory.  This limits things somewhat; in
>     my testing 3.11-rc kernels have INT_MIN at exactly the right place 
>     but the exploit doesn't work on a 3.7.6 kernel,
>     it just oopses or crashes the machine.

This looks valid to me. Unless someone has any objections, can you
please Kurt assign CVE to this issue?

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ