[Precise][Quantal][CVE 2/2] ARM: 7809/1: perf: fix event validation for software group leaders

Luis Henriques luis.henriques at canonical.com
Mon Aug 26 08:52:41 UTC 2013


From: Will Deacon <will.deacon at arm.com>

CVE-2013-4254

BugLink: http://bugs.launchpad.net/bugs/1216442

It is possible to construct an event group with a software event as a
group leader and then subsequently add a hardware event to the group.
This results in the event group being validated by adding all members
of the group to a fake PMU and attempting to allocate each event on
their respective PMU.

Unfortunately, for software events wthout a corresponding arm_pmu, this
results in a kernel crash attempting to dereference the ->get_event_idx
function pointer.

This patch fixes the problem by checking explicitly for software events
and ignoring those in event validation (since they can always be
scheduled). We will probably want to revisit this for 3.12, since the
validation checks don't appear to work correctly when dealing with
multiple hardware PMUs anyway.

Cc: <stable at vger.kernel.org>
Reported-by: Vince Weaver <vincent.weaver at maine.edu>
Tested-by: Vince Weaver <vincent.weaver at maine.edu>
Tested-by: Mark Rutland <mark.rutland at arm.com>
Signed-off-by: Will Deacon <will.deacon at arm.com>
Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
(cherry picked from commit c95eb3184ea1a3a2551df57190c81da695e2144b)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/arm/kernel/perf_event.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index cd38fee..ae6d079 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -331,6 +331,9 @@ validate_event(struct pmu_hw_events *hw_events,
 	struct hw_perf_event fake_event = event->hw;
 	struct pmu *leader_pmu = event->group_leader->pmu;
 
+	if (is_software_event(event))
+		return 1;
+
 	if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
 		return 1;
 
-- 
1.8.3.2





More information about the kernel-team mailing list