Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-43870.json
blob: da73ab135c4c8d3c642a513313fabec80d3fa7b0 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n <IRQ>\n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n </IRQ>\n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n <IRQ WORK>\n perf_pending_irq()\n // early return: event->oncpu = -1\n </IRQ WORK>\n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/events/core.c"
],
"versions": [
{
"version": "8bffa95ac19ff27c8261904f89d36c7fcf215d59",
"lessThan": "67fad724f1b568b356c1065d50df46e6b30eb2f7",
"status": "affected",
"versionType": "git"
},
{
"version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
"lessThan": "70882d7fa74f0731492a0d493e8515a4f7131831",
"status": "affected",
"versionType": "git"
},
{
"version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
"lessThan": "05d3fd599594abf79aad4484bccb2b26e1cb0b51",
"status": "affected",
"versionType": "git"
},
{
"version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
"lessThan": "3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a",
"status": "affected",
"versionType": "git"
},
{
"version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
"lessThan": "2fd5ad3f310de22836cdacae919dd99d758a1f1b",
"status": "affected",
"versionType": "git"
},
{
"version": "78e1317a174edbfd1182599bf76c092a2877672c",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/events/core.c"
],
"versions": [
{
"version": "6.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.1",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.165",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.103",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.44",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.10.3",
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.84",
"versionEndExcluding": "5.15.165"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1",
"versionEndExcluding": "6.1.103"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1",
"versionEndExcluding": "6.6.44"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1",
"versionEndExcluding": "6.10.3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1",
"versionEndExcluding": "6.11"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.14"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7"
},
{
"url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831"
},
{
"url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51"
},
{
"url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a"
},
{
"url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b"
}
],
"title": "perf: Fix event leak upon exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-43870",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}