Bugzilla – Bug 819789
L3-Question: VUL-0: CVE-2013-2094: kernel: linux kernel perf out-of-bounds access
Last modified: 2019-05-01 16:04:52 UTC
is public, via public exploits and oss-sec CVE-2013-2094 https://patchwork.kernel.org/patch/2441281/ aka 8176cced706b5e5d15887584150764894e94e02f reportedly works also on SLE11.
Created attachment 539150 [details] semtex.c exploit from http://fucksheep.org/~sd/warez/semtex.c (crashes the machine at least for me)
fix is in: commit 8176cced706b5e5d15887584150764894e94e02f Author: Tommi Rantala <tt.rantala@gmail.com> Date: Sat Apr 13 22:49:14 2013 +0300 perf: Treat attr.config as u64 in perf_swevent_init() Trinity discovered that we fail to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Introduced in commit b0a873ebb ("perf: Register PMU implementations"). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: davej@redhat.com Cc: Paul Mackerras <paulus@samba.org> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
The SWAMPID for this issue is 52444. This issue was rated as critical. Please submit fixed packages until 2013-05-16. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
from http://womble.decadent.org.uk/blog/that-perf-root-exploit.html : sysctl kernel.perf_event_paranoid=2
Kernel from ftp://ftp.suse.com/pub/projects/kernel/kotd/SLE11-SP2/ is fixed and tested as can be seen bellow (sysctl workaround removed before reboot) steki@zabbix-ng:~> uname -a Linux zabbix-ng 3.0.76-16.ga10374f-default #1 SMP Tue May 14 01:02:07 UTC 2013 (a10374f) x86_64 x86_64 x86_64 GNU/Linux steki@zabbix-ng:~> rpm -q kernel-default kernel-default-3.0.76-16.1.ga10374f steki@zabbix-ng:~> ./semtex-static semtex-static: semtex.c:51: sheep: Assertion `!close(fd)' failed. Aborted steki@zabbix-ng:~> id # as expected no elevation uid=1010(steki) gid=100(users) groups=100(users),16(dialout),33(video) steki@zabbix-ng:~>
This is an autogenerated message for OBS integration: This bug (819789) was mentioned in https://build.opensuse.org/request/show/176098 Maintenance /
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-trace, ocfs2-kmp-xen, xen-kmp-default, xen-kmp-pae, xen-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (x86_64) SLE-DESKTOP 11-SP2 (x86_64) SLE-HAE 11-SP2 (x86_64) SLE-SERVER 11-SP2 (x86_64) SLES4VMWARE 11-SP2 (x86_64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ia64) SLE-HAE 11-SP2 (ia64) SLE-SERVER 11-SP2 (ia64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ppc64) SLE-HAE 11-SP2 (ppc64) SLE-SERVER 11-SP2 (ppc64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (s390x) SLE-HAE 11-SP2 (s390x) SLE-SERVER 11-SP2 (s390x)
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11-SP2 (i386) SLE-DESKTOP 11-SP2 (i386) SLE-HAE 11-SP2 (i386) SLE-SERVER 11-SP2 (i386) SLES4VMWARE 11-SP2 (i386)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace Products: SLE-RT 11-SP2 (x86_64)
Do we know if the work-around/mitigation procedure documented in the bug is okay to use as a stop-gap measure until such time that the customer can reboot? From https://bugzilla.redhat.com/show_bug.cgi?id=962792#c13 : ====================================================== To mitigate the issue: 1) On the host, save the following in a file with the ".stp" extension: %{ #include <linux/perf_event.h> %} function sanitize_config:long (event:long) %{ struct perf_event *event; #if STAP_COMPAT_VERSION >= STAP_VERSION(1,8) event = (struct perf_event *) (unsigned long) STAP_ARG_event; #else event = (struct perf_event *) (unsigned long) THIS->event; #endif event->attr.config &= INT_MAX; %} probe kernel.function("perf_swevent_init").call { sanitize_config($event); } 2) Install the "systemtap" package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6 "SystemTap Beginners Guide" document, available from docs.redhat.com, for information on installing the required -debuginfo packages. 3) Run the "stap -g [filename-from-step-1].stp" command as root. If the host is rebooted, the changes will be lost and the script must be run again. Alternatively, build the systemtap script on a development system with "stap -g -p 4 [filename-from-step-1].stp", distribute the resulting kernel module to all affected systems, and run "staprun -L <module>" on those. When using this approach only systemtap-runtime package is required on the affected systems. Please notice that the kernel version must be the same across all systems. ====================================================== I have a customer that realizes the new kernel addresses the problem, but does not have the ability to reboot all of the server to apply the kernel.
(In reply to comment #40) > Do we know if the work-around/mitigation procedure documented in the bug is > okay to use as a stop-gap measure until such time that the customer can reboot? You will need the required flavor-debuginfo and flavor-devel-debuginfo packages matching the installed kernel. Also, the script is using embedded code, hence the -g flag to stap. I, personally, wouldn't *initially* try it on a critical production system. If you have a equivalent (same hw/kernel version) sstaging/eval system to test it on first, then that should be ok. With any stap script, it's being compiled down into a module and using a kprobe so there is potential for danger. The -g flag means you are overriding the fact that systemtap cannot guarantee the safety of the embedded C code. Other than this, the script looks fine ;-)
openSUSE-SU-2013:0847-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 806138,806976,806980,808829,809748,813735,815745,819519,819789 CVE References: CVE-2013-0913,CVE-2013-1767,CVE-2013-1774,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-2094 Sources used: openSUSE 12.1 (src): kernel-docs-3.1.10-1.23.2.g8645a72, kernel-source-3.1.10-1.23.1.g8645a72, kernel-syms-3.1.10-1.23.1.g8645a72
openSUSE-SU-2013:0925-1: An update that solves 21 vulnerabilities and has 87 fixes is now available. Category: security (important) Bug References: 578046,651219,714604,722398,730117,736149,738210,744692,754583,754898,758243,761849,762424,763494,767612,768052,773577,776787,777616,777746,779577,780977,786150,786814,786900,787821,788826,789235,789311,789359,790867,792674,792793,793139,793671,794513,794529,794805,795269,795928,795957,795961,796412,796418,796823,797042,797175,798921,799197,799209,799270,799275,799578,799926,800280,800701,801038,801178,801713,801717,801720,801782,802153,802353,802445,802712,803056,803067,803394,803674,803712,804154,804220,804609,805823,806138,806395,806404,806431,806466,806469,806492,806631,806825,806847,806908,806976,806980,807431,807517,807560,807853,808166,808307,808829,808966,808991,809155,809166,809375,809493,809748,812281,812315,813963,816443,819789,89359 CVE References: CVE-2010-3873,CVE-2011-4131,CVE-2011-4604,CVE-2011-4622,CVE-2012-1601,CVE-2012-2119,CVE-2012-2137,CVE-2012-4461,CVE-2012-5517,CVE-2013-0160,CVE-2013-0216,CVE-2013-0231,CVE-2013-0871,CVE-2013-0913,CVE-2013-1767,CVE-2013-1774,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1848,CVE-2013-2094 Sources used: openSUSE 11.4 (src): iscsitarget-1.4.19-18.2, kernel-docs-3.0.74-34.2, kernel-source-3.0.74-34.1, kernel-syms-3.0.74-34.1, ndiswrapper-1.57rc1-20.1, omnibook-20100406-13.1, open-vm-tools-2012.8.8.1-41.1, pcfclock-0.44-250.1, preload-1.2-6.29.1, systemtap-1.4-1.11.1, virtualbox-4.0.12-0.58.1, xen-4.0.3_05-57.1, xtables-addons-1.37-0.22.1
openSUSE-SU-2013:0951-1: An update that solves two vulnerabilities and has 6 fixes is now available. Category: security (critical) Bug References: 803931,813889,815745,818327,818497,819519,819789,820048 CVE References: CVE-2013-0290,CVE-2013-2094 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.11.1, kernel-source-3.7.10-1.11.1, kernel-syms-3.7.10-1.11.1
We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this problem. Released kernel version is 3.0.80-0.5.1. (rerelease with 3.0.stable fix)
openSUSE-SU-2013:1042-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (critical) Bug References: 790920,803931,815745,818327,819519,819789,821560,822722 CVE References: CVE-2013-0290,CVE-2013-2094,CVE-2013-2850 Sources used: openSUSE 12.2 (src): kernel-docs-3.4.47-2.38.2, kernel-source-3.4.47-2.38.1, kernel-syms-3.4.47-2.38.1
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace Products: SLE-DEBUGINFO 11-SP3 (x86_64) SLE-RT 11-SP3 (x86_64)