Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Jun 2013 17:53:16 +0200
From: Marcus Meissner <>
To: OSS Security List <>
Subject: CVE Request: More perf security fixes


The perf kernel folks seem to have fixed some more perf issues which have not yet got CVEs.

Our partner Intel thinks that these 3 are security relevant, so we think
they also need seperate CVEs.

I only glanced what the issue is, please correct if my classification is wrong..

1. Info leak (?) via PERF_SAMPLE_BRANCH_KERNEL

commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717
Author: Peter Zijlstra <>
Date:   Fri May 3 14:11:25 2013 +0200

    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL

    We should always have proper privileges when requesting kernel

    Signed-off-by: Peter Zijlstra <>
    Cc: <>
    Cc: Andi Kleen <>
    [ Fix build error reported by, propagate error code back. ]
    Signed-off-by: Ingo Molnar <>

2. Denial of service (system crash)

commit f1923820c447e986a9da0fc6bf60c1dccdf0408e
Author: Stephane Eranian <>
Date:   Tue Apr 16 13:51:43 2013 +0200

    perf/x86: Fix offcore_rsp valid mask for SNB/IVB
    The valid mask for both offcore_response_0 and
    offcore_response_1 was wrong for SNB/SNB-EP,
    IVB/IVB-EP. It was possible to write to
    reserved bit and cause a GP fault crashing
    the kernel.
    This patch fixes the problem by correctly marking the
    reserved bits in the valid mask for all the processors
    mentioned above.
    A distinction between desktop and server parts is introduced
    because bits 24-30 are only available on the server parts.
    This version of the  patch is just a rebase to perf/urgent tree
    and should apply to older kernels as well.
    Signed-off-by: Stephane Eranian <>
    Signed-off-by: Ingo Molnar <>

3. Information leak (??) via perf LBR filter

commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca
Author: Peter Zijlstra <>
Date:   Fri May 3 14:11:24 2013 +0200

    perf/x86/intel/lbr: Fix LBR filter
    The LBR 'from' adddress is under full userspace control; ensure
    we validate it before reading from it.
    Note: is_module_text_address() can potentially be quite
    expensive; for those running into that with high overhead
    in modules optimize it using an RCU backed rb-tree.
    Reported-by: Andi Kleen <>
    Signed-off-by: Peter Zijlstra <>
    Cc: <>
    Signed-off-by: Ingo Molnar <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.