Vigil@nce - Linux kernel: privilege escalation via PERF_EVENTS
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the perf_event_open() system call with an
invalid event, in order to escalate his privileges.
– Impacted products: Debian, Linux, RHEL, Slackware, SUSE Linux
Enterprise Desktop, SLES
– Severity: 2/4
– Creation date: 14/05/2013
DESCRIPTION OF THE VULNERABILITY
The perf_event_open() system call opens a file descriptor, in
order to monitor performances. It exists when the kernel is
compiled with CONFIG_PERF_EVENTS.
The "config" parameter of the perf_event_attr structure indicates
events that the user wishes to monitor. However, the kernel stores
this value on 32 bit, instead of 64, and then accesses outside the
perf_swevent_enabled array, which corrupts the memory.
A local attacker can therefore use the perf_event_open() system
call with an invalid event, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-PERF-EVENTS-12794