CVE-2023-6931 PoC — Out-of-bounds write in Linux kernel's Performance Events system component

Source

Associated Vulnerability

Description

CVE-2023-6931 kernel panic PoC

Readme

# CVE-2023-6931
Kernel Panic PoC for CVE-2023-6931

Description
---
CVE-2023-6931 is a vulnerability in `perf_event` that leads to a heap buffer overflow caused by an integer overflow in the `read_size` of a group.

### What is a Performance Event (perf event)?
`perf_events` is a performance monitoring and analysis framework provided by the Linux kernel. This framework enables the tracking of various performance-related data generated by both hardware and software components.

#### Main Uses
- Hardware Event Tracking
    Tracks events such as CPU cycles, instruction execution counts, cache misses, and more.
- Software Event Tracking
    Monitors events like switching, page faults, context switches, etc.
- Custom Event Tracking
    Enables tracking of events specific to certain applications or the kernel.

#### Components of perf
- `perf_event_open` System call
    An interface that allows user-space to configure and control performance events in the kernel.
    It is used to create, group, control, or read data from events.
- Performance Counters
    The actual data tracked by the CPU and kernel, such as the number of executed instructions or CPU utilization
- Event Groups
    Allows multiple performance events to be grouped and managed together. A group leader event acts as the representative of the group, while sibling events represent the remaining events within the group

---
### Requirment

1. The value of `/proc/sys/kernel/perf_event_paranoid` must be 1 or lower
2. The umber of the file descriptors that can be opened must be at least around 4100. This can be checked and modified using the `ulimit -n` command.
3. The kernel option `CONFIG_PERF_EVENTS` must be set.

---
### description

The Vulnerability arises due to an integer overflow in the `read_size` of a group. The function `perf_event_validate_size` performs validation on the `read_size`. However, the wat `read_size` is validated only checks the `read_size` of the current event. 

The key point is that during each validation, only the current event is validated, while previous events are not. If `PERF_FORMAT_GROUP` is set for the gorup leader, simply adding a current event can increase the `read_size` of the group leader.

This ultimately causes as issue in `perf_read_group`. The calculation of `event->read_size` is based on the `read_format` of the group leader, multiplied by `nr_siblings`. Since the `read_size` variable is a 2-byte `u16`, the maximum value it can hold is `0xffff`. 

To exploit this, the attacker first creates a group leader event with all possible `read_format` options set. Next, numerous sibling events are created. These siblings only set `PERF_FORMAT_TOTAL_TIME_RUNNING` in the `read_Format` to ensure no validation issues in `perf_event_validate_size`. As a result, the `nr_siblings` value becomes extremely large, but since each sibling event passes validation individually, there are no problems at this stage.

When `perf_read_group` is called in this state, the `read_size` of the group leader continues to increase because `PERF_FORMAT_GROUP` is set. Eventaully, this leads to an integer overflow, and `kzalloc` allocates a very small buffer. However, since the actual number of events is very large, a heap buffer overflow accurs, causing a kernel panic.

File Snapshot

 [4.0K]  /data/pocs/1201c20c7359abe00527aa85cac81d8ace5ef34f
├── [888K]  PoC
├── [2.4K]  PoC.c
└── [3.2K]  README.md

0 directories, 3 files

Remarks