Message ID | 20240103190405.1828289-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-6931 | expand |
On 03/01/2024 20:04, Thadeu Lima de Souza Cascardo wrote: > [Impact] > An out-of-bounds write is possible when using perf events. On systems where > unprivileged users have access to perf (perf_event_paranoid <= 3 on 5.4 and > later), this could allow privilege escalation. > > [Backport] > On Jammy and Focal, an extra pre-requisite was added, introducing the > ability to read lost samples per event. Though not strictly necessary, > that's how upstream stable did it, so this would make future changes easier. > > [Test case] > A reproducer was built and tested. The system no longer crashes after > these changes. > > [Potential regression] > perf users may regress or new vulnerabilities might be possible. > > Mark Rutland (1): > perf: Fix perf_event_validate_size() lockdep splat > > Peter Zijlstra (1): > perf: Fix perf_event_validate_size() > > kernel/events/core.c | 69 ++++++++++++++++++++++++++++++-------------- > 1 file changed, 47 insertions(+), 22 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 1/3/24 12:04 PM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > An out-of-bounds write is possible when using perf events. On systems where > unprivileged users have access to perf (perf_event_paranoid <= 3 on 5.4 and > later), this could allow privilege escalation. > > [Backport] > On Jammy and Focal, an extra pre-requisite was added, introducing the > ability to read lost samples per event. Though not strictly necessary, > that's how upstream stable did it, so this would make future changes easier. > > [Test case] > A reproducer was built and tested. The system no longer crashes after > these changes. > > [Potential regression] > perf users may regress or new vulnerabilities might be possible. > > Mark Rutland (1): > perf: Fix perf_event_validate_size() lockdep splat > > Peter Zijlstra (1): > perf: Fix perf_event_validate_size() > > kernel/events/core.c | 69 ++++++++++++++++++++++++++++++-------------- > 1 file changed, 47 insertions(+), 22 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 03/01/2024 20:04, Thadeu Lima de Souza Cascardo wrote: > [Impact] > An out-of-bounds write is possible when using perf events. On systems where > unprivileged users have access to perf (perf_event_paranoid <= 3 on 5.4 and > later), this could allow privilege escalation. > > [Backport] > On Jammy and Focal, an extra pre-requisite was added, introducing the > ability to read lost samples per event. Though not strictly necessary, > that's how upstream stable did it, so this would make future changes easier. > > [Test case] > A reproducer was built and tested. The system no longer crashes after > these changes. > > [Potential regression] > perf users may regress or new vulnerabilities might be possible. > > Mark Rutland (1): > perf: Fix perf_event_validate_size() lockdep splat > > Peter Zijlstra (1): > perf: Fix perf_event_validate_size() > > kernel/events/core.c | 69 ++++++++++++++++++++++++++++++-------------- > 1 file changed, 47 insertions(+), 22 deletions(-) > Applied to mantic, lunar, jammy, focal master-next branches. Thanks!
Thadeu Lima de Souza Cascardo kirjoitti 3.1.2024 klo 21.04: > [Impact] > An out-of-bounds write is possible when using perf events. On systems where > unprivileged users have access to perf (perf_event_paranoid <= 3 on 5.4 and > later), this could allow privilege escalation. > > [Backport] > On Jammy and Focal, an extra pre-requisite was added, introducing the > ability to read lost samples per event. Though not strictly necessary, > that's how upstream stable did it, so this would make future changes easier. > > [Test case] > A reproducer was built and tested. The system no longer crashes after > these changes. > > [Potential regression] > perf users may regress or new vulnerabilities might be possible. > > Mark Rutland (1): > perf: Fix perf_event_validate_size() lockdep splat > > Peter Zijlstra (1): > perf: Fix perf_event_validate_size() > > kernel/events/core.c | 69 ++++++++++++++++++++++++++++++-------------- > 1 file changed, 47 insertions(+), 22 deletions(-) > applied to oem-6.1-prep, thanks