- Vulnerability/
- CVE-2024-26645
CVE-2024-26645: tracing: Ensure visibility when inserting an element into tracing_map
First published: Tue Mar 26 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: tracing: Ensure visibility when inserting an element into tracing_map Running the following two commands in parallel on a multi-processor AArch64 machine can sporadically produce an unexpected warning about duplicate histogram entries: $ while true; do echo hist:key=id.syscall:val=hitcount > \ /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist sleep 0.001 done $ stress-ng --sysbadaddr $(nproc) The warning looks as follows: [ 2911.172474] ------------[ cut here ]------------ [ 2911.173111] Duplicates detected: 1 [ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408 [ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E) [ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1 [ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01 [ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018 [ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408 [ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408 [ 2911.185310] sp : ffff8000a1513900 [ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001 [ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008 [ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180 [ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff [ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8 [ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731 [ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c [ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8 [ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000 [ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480 [ 2911.194259] Call trace: [ 2911.194626] tracing_map_sort_entries+0x3e0/0x408 [ 2911.195220] hist_show+0x124/0x800 [ 2911.195692] seq_read_iter+0x1d4/0x4e8 [ 2911.196193] seq_read+0xe8/0x138 [ 2911.196638] vfs_read+0xc8/0x300 [ 2911.197078] ksys_read+0x70/0x108 [ 2911.197534] __arm64_sys_read+0x24/0x38 [ 2911.198046] invoke_syscall+0x78/0x108 [ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8 [ 2911.199157] do_el0_svc+0x28/0x40 [ 2911.199613] el0_svc+0x40/0x178 [ 2911.200048] el0t_64_sync_handler+0x13c/0x158 [ 2911.200621] el0t_64_sync+0x1a8/0x1b0 [ 2911.201115] ---[ end trace 0000000000000000 ]--- The problem appears to be caused by CPU reordering of writes issued from __tracing_map_insert(). The check for the presence of an element with a given key in this function is: val = READ_ONCE(entry->val); if (val && keys_match(key, val->key, map->key_size)) ... The write of a new entry is: elt = get_free_elt(map); memcpy(elt->key, key, map->key_size); entry->val = elt; The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;" stores may become visible in the reversed order on another CPU. This second CPU might then incorrectly determine that a new key doesn't match an already present val->key and subse ---truncated---
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/linux | <5.4.0-181.201 | 5.4.0-181.201 |
| ubuntu/linux | <5.15.0-106.116 | 5.15.0-106.116 |
| ubuntu/linux | <6.5.0-41.41 | 6.5.0-41.41 |
| ubuntu/linux | <6.8~ | 6.8~ |
| ubuntu/linux-aws | <5.4.0-1124.134 | 5.4.0-1124.134 |
| ubuntu/linux-aws | <5.15.0-1061.67 | 5.15.0-1061.67 |
| ubuntu/linux-aws | <6.5.0-1021.21 | 6.5.0-1021.21 |
| ubuntu/linux-aws | <6.8~ | 6.8~ |
| ubuntu/linux-aws-5.15 | <5.15.0-1061.67~20.04.1 | 5.15.0-1061.67~20.04.1 |
| ubuntu/linux-aws-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-aws-5.4 | <5.4.0-1124.134~18.04.1 | 5.4.0-1124.134~18.04.1 |
| ubuntu/linux-aws-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-aws-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-aws-fips | <6.8~ | 6.8~ |
| ubuntu/linux-aws-hwe | <6.8~ | 6.8~ |
| ubuntu/linux-azure | <5.4.0-1129.136 | 5.4.0-1129.136 |
| ubuntu/linux-azure | <5.15.0-1063.72 | 5.15.0-1063.72 |
| ubuntu/linux-azure | <6.5.0-1022.23 | 6.5.0-1022.23 |
| ubuntu/linux-azure | <6.8~ | 6.8~ |
| ubuntu/linux-azure-4.15 | <6.8~ | 6.8~ |
| ubuntu/linux-azure-5.15 | <5.15.0-1063.72~20.04.1 | 5.15.0-1063.72~20.04.1 |
| ubuntu/linux-azure-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-azure-5.4 | <5.4.0-1129.136~18.04.1 | 5.4.0-1129.136~18.04.1 |
| ubuntu/linux-azure-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-azure-6.5 | <6.5.0-1022.23~22.04.1 | 6.5.0-1022.23~22.04.1 |
| ubuntu/linux-azure-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-azure-fde | <5.15.0-1063.72.1 | 5.15.0-1063.72.1 |
| ubuntu/linux-azure-fde | <6.8~ | 6.8~ |
| ubuntu/linux-azure-fde-5.15 | <5.15.0-1063.72~20.04.1.1 | 5.15.0-1063.72~20.04.1.1 |
| ubuntu/linux-azure-fde-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-azure-fips | <6.8~ | 6.8~ |
| ubuntu/linux-bluefield | <5.4.0-1084.91 | 5.4.0-1084.91 |
| ubuntu/linux-bluefield | <6.8~ | 6.8~ |
| ubuntu/linux-fips | <6.8~ | 6.8~ |
| ubuntu/linux-gcp | <5.4.0-1128.137 | 5.4.0-1128.137 |
| ubuntu/linux-gcp | <5.15.0-1059.67 | 5.15.0-1059.67 |
| ubuntu/linux-gcp | <6.5.0-1022.24 | 6.5.0-1022.24 |
| ubuntu/linux-gcp | <6.8~ | 6.8~ |
| ubuntu/linux-gcp-4.15 | <6.8~ | 6.8~ |
| ubuntu/linux-gcp-5.15 | <5.15.0-1059.67~20.04.1 | 5.15.0-1059.67~20.04.1 |
| ubuntu/linux-gcp-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-gcp-5.4 | <5.4.0-1128.137~18.04.1 | 5.4.0-1128.137~18.04.1 |
| ubuntu/linux-gcp-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-gcp-6.5 | <6.5.0-1022.24~22.04.1 | 6.5.0-1022.24~22.04.1 |
| ubuntu/linux-gcp-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-gcp-fips | <6.8~ | 6.8~ |
| ubuntu/linux-gke | <5.15.0-1058.63 | 5.15.0-1058.63 |
| ubuntu/linux-gke | <6.8~ | 6.8~ |
| ubuntu/linux-gkeop | <5.4.0-1091.95 | 5.4.0-1091.95 |
| ubuntu/linux-gkeop | <5.15.0-1044.51 | 5.15.0-1044.51 |
| ubuntu/linux-gkeop | <6.8~ | 6.8~ |
| ubuntu/linux-gkeop-5.15 | <5.15.0-1044.51~20.04.1 | 5.15.0-1044.51~20.04.1 |
| ubuntu/linux-gkeop-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-hwe | <6.8~ | 6.8~ |
| ubuntu/linux-hwe-5.15 | <5.15.0-106.116~20.04.1 | 5.15.0-106.116~20.04.1 |
| ubuntu/linux-hwe-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-hwe-5.4 | <5.4.0-181.201~18.04.1 | 5.4.0-181.201~18.04.1 |
| ubuntu/linux-hwe-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-hwe-6.5 | <6.5.0-41.41~22.04.2 | 6.5.0-41.41~22.04.2 |
| ubuntu/linux-hwe-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-ibm | <5.4.0-1071.76 | 5.4.0-1071.76 |
| ubuntu/linux-ibm | <5.15.0-1054.57 | 5.15.0-1054.57 |
| ubuntu/linux-ibm | <6.8~ | 6.8~ |
| ubuntu/linux-ibm-5.15 | <5.15.0-1054.57~20.04.1 | 5.15.0-1054.57~20.04.1 |
| ubuntu/linux-ibm-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-ibm-5.4 | <5.4.0-1071.76~18.04.1 | 5.4.0-1071.76~18.04.1 |
| ubuntu/linux-ibm-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-intel | <6.8~ | 6.8~ |
| ubuntu/linux-intel-iot-realtime | <6.8~ | 6.8~ |
| ubuntu/linux-intel-iotg | <5.15.0-1057.63 | 5.15.0-1057.63 |
| ubuntu/linux-intel-iotg | <6.8~ | 6.8~ |
| ubuntu/linux-intel-iotg-5.15 | <5.15.0-1058.64~20.04.1 | 5.15.0-1058.64~20.04.1 |
| ubuntu/linux-intel-iotg-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-iot | <5.4.0-1036.37 | 5.4.0-1036.37 |
| ubuntu/linux-iot | <6.8~ | 6.8~ |
| ubuntu/linux-kvm | <5.4.0-1112.119 | 5.4.0-1112.119 |
| ubuntu/linux-kvm | <5.15.0-1058.63 | 5.15.0-1058.63 |
| ubuntu/linux-kvm | <6.8~ | 6.8~ |
| ubuntu/linux-laptop | <6.5.0-1017.20 | 6.5.0-1017.20 |
| ubuntu/linux-laptop | <6.8~ | 6.8~ |
| ubuntu/linux-lowlatency | <5.15.0-106.116 | 5.15.0-106.116 |
| ubuntu/linux-lowlatency | <6.5.0-41.41.1 | 6.5.0-41.41.1 |
| ubuntu/linux-lowlatency | <6.8~ | 6.8~ |
| ubuntu/linux-lowlatency-hwe-5.15 | <5.15.0-106.116~20.04.1 | 5.15.0-106.116~20.04.1 |
| ubuntu/linux-lowlatency-hwe-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-lowlatency-hwe-6.5 | <6.5.0-41.41.1~22.04.1 | 6.5.0-41.41.1~22.04.1 |
| ubuntu/linux-lowlatency-hwe-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-lowlatency-hwe-6.8 | <6.8~ | 6.8~ |
| ubuntu/linux-lts-xenial | <6.8~ | 6.8~ |
| ubuntu/linux-nvidia | <5.15.0-1054.55 | 5.15.0-1054.55 |
| ubuntu/linux-nvidia | <6.8~ | 6.8~ |
| ubuntu/linux-nvidia-6.5 | <6.5.0-1021.22 | 6.5.0-1021.22 |
| ubuntu/linux-nvidia-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-nvidia-6.8 | <6.8~ | 6.8~ |
| ubuntu/linux-nvidia-lowlatency | <6.8~ | 6.8~ |
| ubuntu/linux-oem-6.5 | <6.5.0-1024.25 | 6.5.0-1024.25 |
| ubuntu/linux-oem-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-oem-6.8 | <6.8~ | 6.8~ |
| ubuntu/linux-oracle | <5.4.0-1123.132 | 5.4.0-1123.132 |
| ubuntu/linux-oracle | <5.15.0-1059.65 | 5.15.0-1059.65 |
| ubuntu/linux-oracle | <6.5.0-1024.24 | 6.5.0-1024.24 |
| ubuntu/linux-oracle | <6.8~ | 6.8~ |
| ubuntu/linux-oracle-5.15 | <5.15.0-1059.65~20.04.1 | 5.15.0-1059.65~20.04.1 |
| ubuntu/linux-oracle-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-oracle-5.4 | <5.4.0-1123.132~18.04.1 | 5.4.0-1123.132~18.04.1 |
| ubuntu/linux-oracle-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-oracle-6.5 | <6.5.0-1024.24~22.04.1 | 6.5.0-1024.24~22.04.1 |
| ubuntu/linux-oracle-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-raspi | <5.4.0-1108.120 | 5.4.0-1108.120 |
| ubuntu/linux-raspi | <5.15.0-1054.57 | 5.15.0-1054.57 |
| ubuntu/linux-raspi | <6.5.0-1018.21 | 6.5.0-1018.21 |
| ubuntu/linux-raspi | <6.8~ | 6.8~ |
| ubuntu/linux-raspi-5.4 | <5.4.0-1108.120~18.04.1 | 5.4.0-1108.120~18.04.1 |
| ubuntu/linux-raspi-5.4 | <6.8~ | 6.8~ |
| ubuntu/linux-raspi-realtime | <6.8~ | 6.8~ |
| ubuntu/linux-realtime | <6.8~ | 6.8~ |
| ubuntu/linux-riscv | <6.5.0-40.40.1 | 6.5.0-40.40.1 |
| ubuntu/linux-riscv | <6.8~ | 6.8~ |
| ubuntu/linux-riscv-5.15 | <5.15.0-1057.61~20.04.1 | 5.15.0-1057.61~20.04.1 |
| ubuntu/linux-riscv-5.15 | <6.8~ | 6.8~ |
| ubuntu/linux-riscv-6.5 | <6.5.0-40.40.1~22.04.1 | 6.5.0-40.40.1~22.04.1 |
| ubuntu/linux-riscv-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-riscv-6.8 | <6.8~ | 6.8~ |
| ubuntu/linux-starfive | <6.5.0-1015.16 | 6.5.0-1015.16 |
| ubuntu/linux-starfive | <6.8~ | 6.8~ |
| ubuntu/linux-starfive-6.5 | <6.5.0-1015.16~22.04.1 | 6.5.0-1015.16~22.04.1 |
| ubuntu/linux-starfive-6.5 | <6.8~ | 6.8~ |
| ubuntu/linux-xilinx-zynqmp | <5.4.0-1043.47 | 5.4.0-1043.47 |
| ubuntu/linux-xilinx-zynqmp | <5.15.0-1030.34 | 5.15.0-1030.34 |
| ubuntu/linux-xilinx-zynqmp | <6.8~ | 6.8~ |
| debian/linux | 5.10.223-1 6.1.106-3 6.1.99-1 6.10.6-1 6.10.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/2b44760609e9eaafc9d234a6883d042fc21132a7
- https://git.kernel.org/stable/c/5022b331c041e8c54b9a6a3251579bd1e8c0fc0b
- https://git.kernel.org/stable/c/a1eebe76e187dbe11ca299f8dbb6e45d5b1889e7
- https://git.kernel.org/stable/c/aef1cb00856ccfd614467cfb50b791278992e177
- https://git.kernel.org/stable/c/bf4aeff7da85c3becd39fb73bac94122331c30fb
- https://git.kernel.org/stable/c/dad9b28f675ed99b4dec261db2a397efeb80b74c
- https://git.kernel.org/stable/c/ef70dfa0b1e5084f32635156c9a5c795352ad860
- https://git.kernel.org/stable/c/f4f7e696db0274ff560482cc52eddbf0551d4b7a
- https://launchpad.net/bugs/cve/CVE-2024-26645
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://git.kernel.org/linus/2b44760609e9eaafc9d234a6883d042fc21132a7
- https://security-tracker.debian.org/tracker/CVE-2024-26645
- https://git.kernel.org/linus/2b44760609e9eaafc9d234a6883d042fc21132a7 (6.8-rc2)
- https://www.cve.org/CVERecord?id=CVE-2024-26645
- https://ubuntu.com/security/notices/USN-6766-1
- https://ubuntu.com/security/notices/USN-6767-1
- https://ubuntu.com/security/notices/USN-6767-2
- https://ubuntu.com/security/notices/USN-6766-2
- https://ubuntu.com/security/notices/USN-6766-3
- https://ubuntu.com/security/notices/USN-6795-1
- https://ubuntu.com/security/notices/USN-6818-1
- https://ubuntu.com/security/notices/USN-6819-1
- https://ubuntu.com/security/notices/USN-6818-2
- https://ubuntu.com/security/notices/USN-6828-1
- https://ubuntu.com/security/notices/USN-6819-2
- https://ubuntu.com/security/notices/USN-6819-3
- https://ubuntu.com/security/notices/USN-6818-3
- https://ubuntu.com/security/notices/USN-6818-4
- https://ubuntu.com/security/notices/USN-6819-4
- https://nvd.nist.gov/vuln/detail/CVE-2024-26645
- https://git.kernel.org/linus/c193707dde77ace92a649cd59a17e105e2fbeaef
- https://ubuntu.com/security/CVE-2024-26645
Parent vulnerabilities
(Appears in the following advisories)
- agent/severity
- agent/title
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/description
- agent/author
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/references
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- package-manager/ubuntu