A security researcher has recently disclosed technical details and proof-of-concept (PoC) exploit code for a vulnerability in the Linux kernelβs Performance Events system component. This flaw, identified as CVE-2023-6931, carries a CVSS score of 7.8, indicating a high severity risk.
The vulnerability is described as a heap out-of-bounds write, which can be exploited to achieve local privilege escalation on affected Linux systems.
The vulnerability lies in how perf_event handles event groups when using the PERF_FORMAT_GROUP flag in its read_format. This flag allows multiple performance counters to be read at once, grouped under a single leader. However, the kernel tracks the size of data to be read with a u16 read_size, which is subject to overflow when too many events are grouped together.
The perf_read_group() function allocates a buffer using an eventβs read_size. It then iterates through the sibling_list, incrementing and potentially writing to successive u64 entries within this buffer. The integer overflow in read_size allows perf_read_group() to increment/write memory outside the allocated heap buffer.
The published exploit targets memory layout using heap spraying and netlink socket objects. By allocating a netlink_sock just before the vulnerable buffer, the exploit increments two function pointers inside the socket object.
βOne of the modified pointers is then called to bypass KASLR and the other to execute a ROP chain placed in the slot previously occupied by the vulnerable array,β the researcher wrote.
This allows:
Bypass of Kernel Address Space Layout Randomization (KASLR)ROP-based privilege escalation, gaining root shell accessThe vulnerability has existed since Linux kernel 3.16 (released in 2014), introduced in commit fa8c269353d5, and was only fully patched in kernel version 6.7, via commit 382c27f4ed28.
The vulnerabilityβs full technical write-up and exploit code have been published to GitHub. This public disclosure transforms CVE-2023-6931 from a theoretical risk to a real-world exploit opportunityβespecially in shared hosting environments, CTF competitions, or environments where unprivileged user access is allowed.
Linux users and administrators should ensure their systems are running a kernel version that includes the fix for CVE-2023-6931 or apply the necessary patches. Given the potential for local privilege escalation, timely patching is crucial to mitigate the risk posed by this vulnerability.