Bug 1563069 (CVE-2017-18255) - CVE-2017-18255 kernel: Integer overflow in events/core.c:perf_cpu_time_max_percent_handler() can allow for denial of service
Summary: CVE-2017-18255 kernel: Integer overflow in events/core.c:perf_cpu_time_max_pe...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-18255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1563071
TreeView+ depends on / blocked
 
Reported: 2018-04-03 06:28 UTC by Sam Fowler
Modified: 2021-02-17 00:34 UTC (History)
46 users (show)

Fixed In Version: kernel 4.11
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's kernel/events/core.c:perf_cpu_time_max_percent_handler() function. Local privileged users could exploit this flaw to cause a denial of service due to integer overflow or possibly have unspecified other impact.
Clone Of:
Environment:
Last Closed: 2018-04-04 17:06:39 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-04-03 06:28:21 UTC
The Linux kernel has a vulnerability in the kernel/events/core.c:perf_cpu_time_max_percent_handler() function which local privileged users could exploit to cause a denial of service due to integer overflow or possibly have unspecified other impact.

References:

https://marc.info/?l=linux-kernel&m=148782918310003

An upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572e45a924f254d9570093abde46430c3172e3d

Comment 3 Vladis Dronov 2018-04-04 17:03:25 UTC
Notes:

This flaw is exploitable by the privileged user (the real "root") only and not from namespaces:

# ls -l /proc/sys/kernel/perf_cpu_time_max_percent
-rw-r--r-- 1 root root 0 Apr  4 18:52 /proc/sys/kernel/perf_cpu_time_max_percent

$ unshare -U -r
# echo 30 > /proc/sys/kernel/perf_cpu_time_max_percent
-bash: /proc/sys/kernel/perf_cpu_time_max_percent: Permission denied


Note You need to log in before you can comment on or make changes to this bug.