Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 20 Aug 2013 13:47:38 -0400 (EDT)
From: Vince Weaver <vincent.weaver@...ne.edu>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: linux-kernel priviledge escalation
 on ARM/perf

On Wed, 14 Aug 2013, Vince Weaver wrote:

> One of the oopses can lead to a local privilege escalation on ARM-perf.
> This fix can be found here:
>   http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1
> The discussion thread is:
>   https://lkml.org/lkml/2013/8/7/259 

More info on this ( CVE-2013-4254 )

The fix has been committed to linus-git and will be in 3.11-rc6:
    c95eb3184ea1a3a2551df57190c81da695e2144b
It is also in the recent 3.10.8 stable release.

I've been doing further tests on this exploit, and it turns out it
is very hard to exploit; it depends on having a very exact kernel
memory layout with a user-mappable address at exactly the right place.

Thus despite the vulnerability being there from 3.2 through 3.11-rc6 I've
only been able to exploit it on 3.11-rc kernels, which probably limits the 
exposure from this bug (it does oops on all kernels, but doesn't call
into user code exept on 3.11-rc1 and newer).

Since the bug is now fixed and the exploit seems unlikely to trigger on
non-3.11-rc kernels, I've released my code describing the issue in more 
detail.

See my perf_event_tests package:
   https://github.com/deater/perf_event_tests

A simple test for the bug can be found under:
   crashes/arm_validate_event_oops.c
And the exploit (with details in the source code comments) is here:
   exploits/arm_perf_exploit.c

Vince

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.