Bug 2086753 (CVE-2022-1729) - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation
Summary: CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege es...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2087945 2087946 2087947 2087948 2087949 2087950 2087951 2087952 2087953 2087954 2087955 2087956 2087957 2087959 2087960 2087961 2087962 2087963 2087964 2087965 2087966 2087973 2087974 2087975 2087976 2087977 2087978 2087979 2087980 2088501 2088502 2089288 2089289
Blocks: 2086700
TreeView+ depends on / blocked
 
Reported: 2022-05-16 14:32 UTC by Marian Rehak
Modified: 2023-02-22 09:23 UTC (History)
62 users (show)

Fixed In Version: kernel 5.18 rc9
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s performance events functionality. A user triggers a race condition in setting up performance monitoring between the leading PERF_TYPE_TRACEPOINT and sub PERF_EVENT_HARDWARE plus the PERF_EVENT_SOFTWARE using the perf_event_open() function with these three types. This flaw allows a local user to crash the system.
Clone Of:
Environment:
Last Closed: 2022-12-05 17:03:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5457 0 None None None 2022-06-30 17:42:33 UTC
Red Hat Product Errata RHBA-2022:5603 0 None None None 2022-07-19 13:33:47 UTC
Red Hat Product Errata RHBA-2022:5744 0 None None None 2022-07-27 17:37:01 UTC
Red Hat Product Errata RHBA-2022:5746 0 None None None 2022-07-28 05:30:17 UTC
Red Hat Product Errata RHSA-2022:5157 0 None None None 2022-06-22 08:46:44 UTC
Red Hat Product Errata RHSA-2022:5220 0 None None None 2022-06-28 07:55:34 UTC
Red Hat Product Errata RHSA-2022:5224 0 None None None 2022-06-28 07:54:16 UTC
Red Hat Product Errata RHSA-2022:5232 0 None None None 2022-06-28 09:46:36 UTC
Red Hat Product Errata RHSA-2022:5236 0 None None None 2022-06-28 09:47:19 UTC
Red Hat Product Errata RHSA-2022:5249 0 None None None 2022-06-28 14:59:34 UTC
Red Hat Product Errata RHSA-2022:5267 0 None None None 2022-06-28 10:43:17 UTC
Red Hat Product Errata RHSA-2022:5564 0 None None None 2022-07-13 08:38:24 UTC
Red Hat Product Errata RHSA-2022:5565 0 None None None 2022-07-13 08:38:34 UTC
Red Hat Product Errata RHSA-2022:5626 0 None None None 2022-07-19 21:06:17 UTC
Red Hat Product Errata RHSA-2022:5633 0 None None None 2022-07-19 21:08:01 UTC
Red Hat Product Errata RHSA-2022:5636 0 None None None 2022-07-19 15:28:49 UTC
Red Hat Product Errata RHSA-2022:5806 0 None None None 2022-08-02 07:13:42 UTC
Red Hat Product Errata RHSA-2022:6432 0 None None None 2022-09-13 07:41:01 UTC
Red Hat Product Errata RHSA-2022:6741 0 None None None 2022-09-28 15:57:42 UTC

Description Marian Rehak 2022-05-16 14:32:48 UTC 
A race condition in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.
Comment 10 Marian Rehak 2022-05-23 11:09:05 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-34 [bug 2089288]
Affects: fedora-35 [bug 2089289]
Comment 11 Justin M. Forbes 2022-05-23 16:28:05 UTC 
Why are we creating separate Fedora tracking bugs for different versions with this? Typically there is a single Fedora bug, which makes it much easier since typically all Fedora versions are on the same kernel version, and I file a single update for all supported releases which bodhi breaks out on the back end.
Comment 27 errata-xmlrpc 2022-06-22 08:46:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:5157 https://access.redhat.com/errata/RHSA-2022:5157
Comment 28 errata-xmlrpc 2022-06-28 07:54:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224
Comment 29 errata-xmlrpc 2022-06-28 07:55:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220
Comment 30 errata-xmlrpc 2022-06-28 09:46:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5232 https://access.redhat.com/errata/RHSA-2022:5232
Comment 31 errata-xmlrpc 2022-06-28 09:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5236 https://access.redhat.com/errata/RHSA-2022:5236
Comment 32 errata-xmlrpc 2022-06-28 10:43:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267
Comment 33 errata-xmlrpc 2022-06-28 14:59:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249
Comment 35 Wade Mealing 2022-07-07 08:17:04 UTC 
Gday Alex,

We could possibly change this, however i'm reading the docs:

perf_event_paranoid:

Controls use of the performance events system by unprivileged
users (without CAP_SYS_ADMIN).  The default value is 2.

 -1: Allow use of (almost) all events by all users
     Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>=0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
     Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

Are you proposing that we add it and set it the default or just have the option there ? 

I think changing the default to 3 would not be an easy sell for engineering.
Adding it as an option may be possible but will need upstream first. 

The best contat that I can think of would be Michael Petlan, he's always been very good at getting to the root of the problem.

As I haven't looked at the patch though, how is this different than 2? 
  

Wade.
Comment 36 errata-xmlrpc 2022-07-13 08:38:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5564 https://access.redhat.com/errata/RHSA-2022:5564
Comment 37 errata-xmlrpc 2022-07-13 08:38:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5565 https://access.redhat.com/errata/RHSA-2022:5565
Comment 41 errata-xmlrpc 2022-07-19 15:28:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636
Comment 42 errata-xmlrpc 2022-07-19 21:06:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626
Comment 43 errata-xmlrpc 2022-07-19 21:07:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633
Comment 44 errata-xmlrpc 2022-08-02 07:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:5806 https://access.redhat.com/errata/RHSA-2022:5806
Comment 47 errata-xmlrpc 2022-09-13 07:40:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:6432 https://access.redhat.com/errata/RHSA-2022:6432
Comment 48 errata-xmlrpc 2022-09-28 15:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:6741 https://access.redhat.com/errata/RHSA-2022:6741
Comment 50 Product Security DevOps Team 2022-12-05 17:03:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1729
Note You need to log in before you can comment on or make changes to this bug.