Patchwork [Precise,Quantal,CVE-2013-2094] perf: Treat attr.config as u64 in perf_swevent_init()

login
register
mail settings
Submitter Luis Henriques
Date May 14, 2013, 1:48 p.m.
Message ID <1368539334-24640-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/243708/
State New
Headers show

Comments

Luis Henriques - May 14, 2013, 1:48 p.m.
From: Tommi Rantala <tt.rantala@gmail.com>

CVE-2013-2094

BugLink: http://bugs.launchpad.net/bugs/1179943

Trinity discovered that we fail to check all 64 bits of
attr.config passed by user space, resulting to out-of-bounds
access of the perf_swevent_enabled array in
sw_perf_event_destroy().

Introduced in commit b0a873ebb ("perf: Register PMU
implementations").

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: davej@redhat.com
Cc: Paul Mackerras <paulus@samba.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 8176cced706b5e5d15887584150764894e94e02f)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 kernel/events/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Tim Gardner - May 14, 2013, 1:52 p.m.

Steve Conklin - May 14, 2013, 1:53 p.m.
On 05/14/2013 08:48 AM, Luis Henriques wrote:
> From: Tommi Rantala <tt.rantala@gmail.com>
> 
> CVE-2013-2094
> 
> BugLink: http://bugs.launchpad.net/bugs/1179943
> 
> Trinity discovered that we fail to check all 64 bits of
> attr.config passed by user space, resulting to out-of-bounds
> access of the perf_swevent_enabled array in
> sw_perf_event_destroy().
> 
> Introduced in commit b0a873ebb ("perf: Register PMU
> implementations").
> 
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
> Cc: davej@redhat.com
> Cc: Paul Mackerras <paulus@samba.org>
> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
> Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> (cherry picked from commit 8176cced706b5e5d15887584150764894e94e02f)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  kernel/events/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 7d1f05e..12d98d9 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -5164,7 +5164,7 @@ static void sw_perf_event_destroy(struct perf_event *event)
>  
>  static int perf_swevent_init(struct perf_event *event)
>  {
> -	int event_id = event->attr.config;
> +	u64 event_id = event->attr.config;
>  
>  	if (event->attr.type != PERF_TYPE_SOFTWARE)
>  		return -ENOENT;
>

Patch

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7d1f05e..12d98d9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5164,7 +5164,7 @@  static void sw_perf_event_destroy(struct perf_event *event)
 
 static int perf_swevent_init(struct perf_event *event)
 {
-	int event_id = event->attr.config;
+	u64 event_id = event->attr.config;
 
 	if (event->attr.type != PERF_TYPE_SOFTWARE)
 		return -ENOENT;