From patchwork Wed Jan 3 19:04:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1882181 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T4zfm0td1z1yQ5 for ; Thu, 4 Jan 2024 06:04:31 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rL6XI-00083R-Nl; Wed, 03 Jan 2024 19:04:16 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rL6XE-00083E-Da for kernel-team@lists.ubuntu.com; Wed, 03 Jan 2024 19:04:12 +0000 Received: from quatroqueijos.lan (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 48E603F2D5 for ; Wed, 3 Jan 2024 19:04:10 +0000 (UTC) From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Focal,Jammy,OEM-6.1,Lunar,Mantic 0/3] CVE-2023-6931 Date: Wed, 3 Jan 2024 16:04:02 -0300 Message-Id: <20240103190405.1828289-1-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] An out-of-bounds write is possible when using perf events. On systems where unprivileged users have access to perf (perf_event_paranoid <= 3 on 5.4 and later), this could allow privilege escalation. [Backport] On Jammy and Focal, an extra pre-requisite was added, introducing the ability to read lost samples per event. Though not strictly necessary, that's how upstream stable did it, so this would make future changes easier. [Test case] A reproducer was built and tested. The system no longer crashes after these changes. [Potential regression] perf users may regress or new vulnerabilities might be possible. Mark Rutland (1): perf: Fix perf_event_validate_size() lockdep splat Peter Zijlstra (1): perf: Fix perf_event_validate_size() kernel/events/core.c | 69 ++++++++++++++++++++++++++++++-------------- 1 file changed, 47 insertions(+), 22 deletions(-) Acked-by: Roxana Nicolescu Acked-by: Tim Gardner