ghsa-q4cg-m7j8-ggr6
Vulnerability from github
Published
2025-01-11 15:30
Modified
2025-01-11 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

s390/cpum_sf: Handle CPU hotplug remove during sampling

CPU hotplug remove handling triggers the following function call sequence:

CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()

The s390 CPUMF sampling CPU hotplug handler invokes:

s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers()

This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled.

With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU:

perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update()

to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data.

Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-57849"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T15:15:07Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cpum_sf: Handle CPU hotplug remove during sampling\n\nCPU hotplug remove handling triggers the following function\ncall sequence:\n\n   CPUHP_AP_PERF_S390_SF_ONLINE  --\u003e s390_pmu_sf_offline_cpu()\n   ...\n   CPUHP_AP_PERF_ONLINE          --\u003e perf_event_exit_cpu()\n\nThe s390 CPUMF sampling CPU hotplug handler invokes:\n\n s390_pmu_sf_offline_cpu()\n +--\u003e  cpusf_pmu_setup()\n       +--\u003e setup_pmc_cpu()\n            +--\u003e deallocate_buffers()\n\nThis function de-allocates all sampling data buffers (SDBs) allocated\nfor that CPU at event initialization. It also clears the\nPMU_F_RESERVED bit. The CPU is gone and can not be sampled.\n\nWith the event still being active on the removed CPU, the CPU event\nhotplug support in kernel performance subsystem triggers the\nfollowing function calls on the removed CPU:\n\n  perf_event_exit_cpu()\n  +--\u003e perf_event_exit_cpu_context()\n       +--\u003e __perf_event_exit_context()\n\t    +--\u003e __perf_remove_from_context()\n\t         +--\u003e event_sched_out()\n\t              +--\u003e cpumsf_pmu_del()\n\t                   +--\u003e cpumsf_pmu_stop()\n                                +--\u003e hw_perf_event_update()\n\nto stop and remove the event. During removal of the event, the\nsampling device driver tries to read out the remaining samples from\nthe sample data buffers (SDBs). But they have already been freed\n(and may have been re-assigned). This may lead to a use after free\nsituation in which case the samples are most likely invalid. In the\nbest case the memory has not been reassigned and still contains\nvalid data.\n\nRemedy this situation and check if the CPU is still in reserved\nstate (bit PMU_F_RESERVED set). In this case the SDBs have not been\nreleased an contain valid data. This is always the case when\nthe event is removed (and no CPU hotplug off occured).\nIf the PMU_F_RESERVED bit is not set, the SDB buffers are gone.",
  "id": "GHSA-q4cg-m7j8-ggr6",
  "modified": "2025-01-11T15:30:29Z",
  "published": "2025-01-11T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57849"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/238e3af849dfdcb1faed544349f7025e533f9aab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99192c735ed4bfdff0d215ec85c8a87a677cb898"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0bd7dacbd51c632b8e2c0500b479af564afadf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a69752f1e5de817941a2ea0609254f6f25acd274"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5be6a0bb639d165c8418d8dddd8f322587be8be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be54e6e0f93a39a9c00478d70d12956a5f3d5b9b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.