CVE-2024-43869: perf: Fix event leak upon exec and file release
First published: Wed Aug 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exec and file release The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> <NMI> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= </NMI> perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> <IRQ> perf_pending_irq() //do nothing, rely on pending task work <======= </IRQ> begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.7-1 6.11.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4
- https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840
- https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0
- https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99
- https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43869
- https://nvd.nist.gov/vuln/detail/CVE-2024-43869
- https://launchpad.net/bugs/cve/CVE-2024-43869
- https://security-tracker.debian.org/tracker/CVE-2024-43869
- https://ubuntu.com/security/CVE-2024-43869
- https://git.kernel.org/linus/3a5465418f5fd970e86a86c7f4075be262682840
- https://access.redhat.com/errata/RHSA-2024:9315
- https://bugzilla.redhat.com/show_bug.cgi?id=2306363
- agent/title
- agent/severity
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-43869
- package-manager/debian