ghsa-2x5w-q4pc-79qx
Vulnerability from github
Published
2024-12-27 15:31
Modified
2025-01-06 21:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog

Syzbot reported [1] crash that happens for following tracing scenario:

  • create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it

  • attached process forks -> chid creates inherited event

    the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint

  • exit both process and its child -> release both events

  • first perf_event_detach_bpf_prog call will release tp_event->prog_array and second perf_event_detach_bpf_prog will crash, because tp_event->prog_array is NULL

The fix makes sure the perf_event_detach_bpf_prog checks prog_array is valid before it tries to remove the bpf program from it.

[1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56665"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog\n\nSyzbot reported [1] crash that happens for following tracing scenario:\n\n  - create tracepoint perf event with attr.inherit=1, attach it to the\n    process and set bpf program to it\n  - attached process forks -\u003e chid creates inherited event\n\n    the new child event shares the parent\u0027s bpf program and tp_event\n    (hence prog_array) which is global for tracepoint\n\n  - exit both process and its child -\u003e release both events\n  - first perf_event_detach_bpf_prog call will release tp_event-\u003eprog_array\n    and second perf_event_detach_bpf_prog will crash, because\n    tp_event-\u003eprog_array is NULL\n\nThe fix makes sure the perf_event_detach_bpf_prog checks prog_array\nis valid before it tries to remove the bpf program from it.\n\n[1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad",
  "id": "GHSA-2x5w-q4pc-79qx",
  "modified": "2025-01-06T21:30:50Z",
  "published": "2024-12-27T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56665"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/842e5af282453983586e2eae3c8eaf252de5f22f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/978c4486cca5c7b9253d3ab98a88c8e769cb9bbd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2b6b47662d5f2dfce92e5ffbdcac8229f321d9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dfb15ddf3b65e0df2129f9756d1b4fa78055cdb3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.