Headline
CVE-2022-1729: security - CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation
A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 May 2022 22:14:36 +0200 From: Norbert Slusarek <nslusarek@…net> To: oss-security@…ts.openwall.com Cc: peterz@…radead.org Subject: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation
Hello,
this is an announcement for a recently reported vulnerability (CVE-2022-1729) in the perf subsystem of the Linux kernel. The issue is a race condition which was proven to allow for a local privilege escalation to root on current kernel version >= 5.4.193, but the bug seems to exist since kernel version 4.0-rc1 (patch fixes the commit to this version). Fortunately, major Linux distributions often restrict the use of perf for unprivileged users by setting the sysctl variable kernel.perf_event_paranoid >= 3, effectively rendering the vulnerability harmless.
The patch can be found at https://lkml.kernel.org/r/[email protected]
Details
The following syscall order triggers the bug:
- fd0 = perf_event_open, type PERF_TYPE_TRACEPOINT is created.
Called simultaneously:
thread 1: fd1 = perf_event_open, type PERF_TYPE_HARDWARE, group leader fd0
thread 2: fd2 = perf_event_open, type PERF_TYPE_SOFTWARE, group leader fd0
thread 1: fd1 is of type PERF_TYPE_HARDWARE, and the group leader is of type PERF_TYPE_TRACEPOINT. Because fd1 is a hardware event in a software event group, the whole group is required to move to a hardware context, so move_group is set to 1.
thread 1: fd1 takes the context lock.
thread 2: fd2 is of type PERF_TYPE_SOFTWARE, so no group migration is needed and move_group is set to 0. This thread *waits* at the lock while it’s held by fd1.
thread 1: all siblings of fd1 and the group leader fd0 are moved from the current software context to a new hardware context.
thread 1: creation of fd1 is finished and the lock released.
thread 2: fd2 acquires the lock, and it is still attached to the old software context, even though its group leader fd0 is attached to the new hardware context.
The following sequence of event closes leaves a dangling pointer in the hardware context:
- close fd0
- close fd1 All of its siblings (fd2 in this case) are attached to a new context. Now, fd2 is in two contexts at the same time.
- close fd2 The event is removed from its old software context and freed, but a dangling pointer still persists in the newer context. For instance, merge_sched_in() can access this freed event when scheduling in events for the hardware context, leading to a use-after-free.
Regards, Norbert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 5660-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 5647-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.
Red Hat Security Advisory 2022-6696-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.
Ubuntu Security Notice 5623-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation
Ubuntu Security Notice 5602-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 5560-2 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5560-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Red Hat Security Advisory 2022-5806-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.
Red Hat Security Advisory 2022-5626-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include information leakage, memory leak, privilege escalation, and use-after-free vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-29368: kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check * CVE-2021-4197: kernel: cgroup: Use open-time creds and namespace for migration perm checks * CVE-2021-4203: kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses * CVE-2022-1...
An update for kernel is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1012: kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak * CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation * CVE-2022-32250: kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation
Red Hat Security Advisory 2022-5232-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.
Red Hat Security Advisory 2022-5157-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a privilege escalation vulnerability.
An update for kernel is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation