Recently, Linux kernel maintainers issued a risk notice for the Linux perf subsystem, the vulnerability number is CVE-2022-1729, and the vulnerability level is high risk with the CVSS of 7.0. This flaw is a use-after-free bug that was found in the Linux kernel’s performance events functionality.
According to the wiki main page, perf can instrument CPU performance counters, tracepoints, kprobes, and uprobes (dynamic tracing). It is capable of lightweight profiling. It is also included in the Linux kernel, under tools/perf, and is frequently updated and enhanced. Linux perf subsystem is available from Linux kernel version 2.6.31 in 2009. CVE-2022-1729 allows a local user to crash or potentially escalate their privileges on the system.
The issue is a race condition in setting up performance monitoring between the leading PERF_TYPE_TRACEPOINT and sub PERF_EVENT_HARDWARE plus the PERF_EVENT_SOFTWARE using the perf_event_open() function with these three types. It was proven to allow for a local privilege escalation to root on the current kernel version >= 5.4.193, but the bug seems to exist since kernel version 4.0-rc1 (patch fixes the commit to this version). Fortunately, major Linux distributions often restrict the use of perf for unprivileged users by setting the sysctl variable kernel.perf_event_paranoid >= 3, effectively rendering the vulnerability harmless.
At present, various Linux distributions such as RedHat have officially issued security patches. It is recommended that users upgrade to the security version as soon as possible, or refer to the official instructions for mitigation.
Mitigation
By default, for Red Hat Enterprise Linux, an unprivileged user can trigger an attack. To prevent the possibility of an unprivileged users’ attack, set kernel.perf_event_paranoid to the value 3.
It is possible with the command:sudo /sbin/sysctl -w “kernel.perf_event_paranoid=3”
Or it can be disabled for all subsequent boots of the system by setting a value in /etc/sysctl.d/45-perf-event-paranoid:
## start file ##
kernel.perf_event_paranoid=3
## end file ##
Via: openwall
