|
Message-ID: <alpine.DEB.2.10.1308201338140.23686@vincent-weaver-1.um.maine.edu> Date: Tue, 20 Aug 2013 13:47:38 -0400 (EDT) From: Vince Weaver <vincent.weaver@...ne.edu> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: linux-kernel priviledge escalation on ARM/perf On Wed, 14 Aug 2013, Vince Weaver wrote: > One of the oopses can lead to a local privilege escalation on ARM-perf. > This fix can be found here: > http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1 > The discussion thread is: > https://lkml.org/lkml/2013/8/7/259 More info on this ( CVE-2013-4254 ) The fix has been committed to linus-git and will be in 3.11-rc6: c95eb3184ea1a3a2551df57190c81da695e2144b It is also in the recent 3.10.8 stable release. I've been doing further tests on this exploit, and it turns out it is very hard to exploit; it depends on having a very exact kernel memory layout with a user-mappable address at exactly the right place. Thus despite the vulnerability being there from 3.2 through 3.11-rc6 I've only been able to exploit it on 3.11-rc kernels, which probably limits the exposure from this bug (it does oops on all kernels, but doesn't call into user code exept on 3.11-rc1 and newer). Since the bug is now fixed and the exploit seems unlikely to trigger on non-3.11-rc kernels, I've released my code describing the issue in more detail. See my perf_event_tests package: https://github.com/deater/perf_event_tests A simple test for the bug can be found under: crashes/arm_validate_event_oops.c And the exploit (with details in the source code comments) is here: exploits/arm_perf_exploit.c Vince
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.