Описание
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Make sure that __perf_event_overflow() runs with IRQs disabled for all
possible callchains. Specifically the software events can end up running
it with only preemption disabled.
This opens up a race vs perf_event_exit_event() and friends that will go
and free various things the overflow path expects to be present, like
the BPF program.
A flaw was found in the Linux kernel's perf subsystem. A race condition exists between the __perf_event_overflow() function and functions like perf_remove_from_context() or perf_event_exit_event(). This occurs because __perf_event_overflow() may execute with only preemption disabled, allowing other operations to free resources, such as BPF (Berkeley Packet Filter) programs, that the overflow path expects to be available. This could lead to system instability or a denial of service.
Отчет
A race exists in the perf software event overflow handling where __perf_event_overflow can run without IRQs disabled for some callchains. This allows perf_event_release_kernel and perf_remove_from_context to free objects that the overflow path still expects to be present such as an attached BPF program. This is a classic lifetime bug and can result in use after free behavior which may manifest as a kernel crash. The issue is not network reachable and it requires local execution that can trigger perf overflow paths such as software events tracepoints or timer based sampling. Impact is denial of service. A conservative worst case includes limited confidentiality and integrity impact due to the use after free class but reliable privilege escalation is not demonstrated by the patch context.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.8 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
In the Linux kernel, the following vulnerability has been resolved: p ...
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
5.8 Medium
CVSS3