ghsa-hwwv-phfq-243p
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq

Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example:

BUG: kernel NULL pointer dereference, address: 0000000000000195
<NMI>
? __die_body.cold+0x19/0x27
? page_fault_oops+0xca/0x290
? exc_page_fault+0x7e/0x1b0
? asm_exc_page_fault+0x26/0x30
? intel_pmu_pebs_event_update_no_drain+0x40/0x60
? intel_pmu_pebs_event_update_no_drain+0x32/0x60
intel_pmu_drain_pebs_icl+0x333/0x350
handle_pmi_common+0x272/0x3c0
intel_pmu_handle_irq+0x10a/0x2e0
perf_event_nmi_handler+0x2a/0x50

That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.

The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway.

Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38055"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:38Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault.  For example:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\n    \u003cNMI\u003e\n    ? __die_body.cold+0x19/0x27\n    ? page_fault_oops+0xca/0x290\n    ? exc_page_fault+0x7e/0x1b0\n    ? asm_exc_page_fault+0x26/0x30\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n    intel_pmu_drain_pebs_icl+0x333/0x350\n    handle_pmi_common+0x272/0x3c0\n    intel_pmu_handle_irq+0x10a/0x2e0\n    perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\nwas not hit.",
  "id": "GHSA-hwwv-phfq-243p",
  "modified": "2025-06-18T12:30:33Z",
  "published": "2025-06-18T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38055"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.