Disallowing perf_event_open()

Posted Aug 4, 2016 12:52 UTC (Thu) by deater (subscriber, #11746)
Parent article: Disallowing perf_event_open()

Any word on how the CVEs were found? Via a fuzzer or some other way? It is a bit annoying to find internal bugs in your own architectural driver and your solution is to disable a global interface for everyone.

At the same time, the perf_fuzzer can still reliably crash any x86 machine within a few hours despite years of trying to get that fixed, so it probably is a good idea to provide a way to block the syscall.

I see both sides of the issue here, as having perf_event disabled by default is really going to cause annoyance for high-performance computing users (it hasn't started problems yet because most users aren't using Debian). If you start requiring root or sysadmin action in order for perf to work, people are going to go back to skipping perf altogether for tools like LIKWID (they also usually require root or sysadmin intervention).

to post comments

Disallowing perf_event_open()

Posted Aug 4, 2016 20:01 UTC (Thu) by nix (subscriber, #2304) [Link]

Quite. That's not the only use case either. My firewall, in common with much semi-embedded hardware, has no useful PMUs and runs no software that would benefit (and even if it did, I frankly don't care if I break self-tuning JITs on a firewall: it's not doing anything else so the performance of things like that is of minimal interest). But as firewalls tend to be, it is network-exposed to hostile attackers and really should not have huge unused lumps of security-critical code on it at all, let alone exposed to unprivileged users.

I have no idea why there isn't a config knob to compile perf out entirely. There surely should be. Not everything needs it; not everything can benefit; and those things that don't are purely harmed by its distinctly non-zero-sized vulnerability surface.

Disallowing perf_event_open()

Posted Aug 4, 2016 22:51 UTC (Thu) by ballombe (subscriber, #9523) [Link] (7 responses)

> (it hasn't started problems yet because most users aren't using Debian)
or maybe because perf is not disabled by default on Debian.

Disallowing perf_event_open()

Posted Aug 5, 2016 0:17 UTC (Fri) by deater (subscriber, #11746) [Link] (6 responses)

> or maybe because perf is not disabled by default on Debian.

I always forget that most people do not run unstable.

Disallowing perf_event_open()

Posted Aug 5, 2016 0:57 UTC (Fri) by creemj (subscriber, #56061) [Link] (1 responses)

I upgraded to testing two or three weeks ago and had to spend some time working out why my profiling code stopped working. It was a bit annoying to find that perf events was disabled in the kernel from scratch, but I managed to write my first ever systemd init config to write a sensible value to /proc/sys/kernel/perf_event_paranoid on boot up so that I wouldn't be pissed off every time I rebooted.

The pain level has to be quite high before I would report a bug or issue back to Debian --- I hate the reportbug interface and find 'apt-get purge crappy-buggy-package' a much easier and quicker solution in most cases.

I am wondering, however, whether there is a kernel option to change the default? That would be a neater solution.

Disallowing perf_event_open()

Posted Aug 5, 2016 4:36 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> …but I managed to write my first ever systemd init config to write a sensible value to /proc/sys/kernel/perf_event_paranoid on boot up…

Why a systemd init config? Isn't this exactly why we have /etc/sysctl.conf and /etc/sysctl.d/?

# echo "kernel.perf_event_paranoid = 0" > /etc/sysctl.d/perf_events.conf
# update-initramfs -k all -u

Disallowing perf_event_open()

Posted Aug 6, 2016 17:35 UTC (Sat) by anton (subscriber, #25547) [Link] (3 responses)

I run stable, and I find that the default restrictions of perf are broken for my uses, so I have this nice line in /etc/rc.local:

echo 0 >/proc/sys/kernel/perf_event_paranoid

Disallowing perf_event_open()

Posted Aug 6, 2016 18:06 UTC (Sat) by spender (guest, #23067) [Link] (2 responses)

I like that we have two comments now in this thread alone demonstrating how people have no problem at all with the serious security side-effects of the coarseness of the toggle in the other direction, yet all the complaints are focused on the mere option of an additional, more secure setting. When you consider that even CONFIG_NET can be disabled, but PERF_EVENTS cannot, it's obvious that all the pushback has to do with an arch maintainer also being the maintainer of a pet project he wants to force on everyone, spending more time on adding new bells and whistles and not on (for instance) fixing known issues deater has been talking about here for years now exposed by simple fuzzing, meanwhile offering users no way to mitigate those issues.

-Brad

Disallowing perf_event_open()

Posted Aug 8, 2016 15:09 UTC (Mon) by deater (subscriber, #11746) [Link] (1 responses)

And it turns out that 4.8-rc1 falls over even more quickly than normal with the perf_fuzzer.

The fun part is that the serial console only manages to print
[163405.758086] BUG: unable to handle kernel
before completely locking up.

I'll try reporting this to linux-kernel, but the reports are usually ignored and the deep seated problems the fuzzer is tickling are a bit out of my league to track down.

Disallowing perf_event_open()

Posted Aug 9, 2016 15:34 UTC (Tue) by deater (subscriber, #11746) [Link]

For those keeping track, I ran the perf_fuzzer on a Haswell machine running 4.8-rc1.

The bug mentioned previously that quickly locked the machine turns out to be a known bug (found with trinity a few weeks ago) with a working patch that hasn't hit upstream yet. Once I patched for the bug I let perf_fuzzer run again.

It lasted 6 hours before completely crashing. Along the way it found:

2 known WARNings
2 new WARNings
3 gpf/slab poisoning warnings

and then it finally crashed hard.