Vigil@nce - Linux kernel: denial of service via Intel Counters
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can disrupt computations of Intel processor
counters, in order to create a denial of service.
Severity: 1/4
Creation date: 06/07/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Intel processors have specific MSR (Model Specific Register)
registers. They can be reached via the RDMSR (read) and WRMSR
(write) assembler instructions, by indicating the number of the
MSR in ECX.
The MSR 0x38d controls performance counters (PMU : Performance
Monitoring Unit) :
– MSR 0x309 : instruction counter
– MSR 0x30a : CPU cycle counter
– MSR 0x30b : bus cycle counter
So, there is one control MSR, and three PMU MSRs.
However, the x86_assign_hw_event() function of the
arch/x86/kernel/cpu/perf_event.c file uses a fixed index to access
to the PMU MSRs. The RDMSR/WRMSR instructions thus only use the
MSR 0x309.
A local attacker can therefore disrupt computations of Intel
processor counters, in order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-Intel-Counters-10815