Bug 1701245 (CVE-2019-3901) - CVE-2019-3901 kernel: perf_event_open() and execve() race in setuid programs allows a data leak
Summary: CVE-2019-3901 kernel: perf_event_open() and execve() race in setuid programs ...
Keywords:
Status: NEW
Alias: CVE-2019-3901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1701620 1701621
Blocks: 1701243
TreeView+ depends on / blocked
 
Reported: 2019-04-18 13:37 UTC by Vladis Dronov
Modified: 2019-09-29 15:11 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Vladis Dronov 2019-04-18 13:37:54 UTC
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=807

https://seclists.org/oss-sec/2019/q2/9

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=79c9ce57eb2d5f1497546a3946b4ae21b6fdc438

Comment 6 Vladis Dronov 2019-04-20 00:02:51 UTC
Notes:

Red Hat Enterprise Linux 6 does not have PERF_TYPE_BREAKPOINT implemented, so the attack surface is much more limited, and so severity of this security flaw is considered low for it.


Note You need to log in before you can comment on or make changes to this bug.