CVE-2022-48713
perf/x86/intel/pt: Fix crash with stop filters in single-range mode
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/pt: Fix crash with stop filters in single-range mode
Add a check for !buf->single before calling pt_buffer_region_size in a
place where a missing check can cause a kernel crash.
Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt:
Opportunistically use single range output mode"), which added a
support for PT single-range output mode. Since that commit if a PT
stop filter range is hit while tracing, the kernel will crash because
of a null pointer dereference in pt_handle_status due to calling
pt_buffer_region_size without a ToPA configured.
The commit which introduced single-range mode guarded almost all uses of
the ToPA buffer variables with checks of the buf->single variable, but
missed the case where tracing was stopped by the PT hardware, which
happens when execution hits a configured stop filter.
Tested that hitting a stop filter while PT recording successfully
records a trace with this patch but crashes without this patch.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel/pt: soluciona el fallo con filtros de parada en modo de rango único. Añade una marca para !buf->single antes de llamar a pt_buffer_region_size en un lugar donde una marca faltante puede provocar un fallo del kernel. Corrige un error introducido por el commit 670638477aed ("perf/x86/intel/pt: utilizar de manera oportunista el modo de salida de rango único"), que agregó soporte para el modo de salida de rango único PT. Desde esa confirmación, si se alcanza un rango de filtro de parada PT durante el seguimiento, el kernel fallará debido a una desreferencia de puntero nulo en pt_handle_status debido a la llamada a pt_buffer_region_size sin un ToPA configurado. La confirmación que introdujo el modo de rango único protegió casi todos los usos de las variables del búfer ToPA con comprobaciones de la variable buf->single, pero omitió el caso en el que el hardware PT detuvo el seguimiento, lo que ocurre cuando la ejecución llega a un filtro de parada configurado. Se probó que al presionar un filtro de detención mientras se graba PT se registra exitosamente un seguimiento con este parche, pero falla sin este parche.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-20 CVE Reserved
- 2024-06-20 CVE Published
- 2024-06-21 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/670638477aede0d7a355ced04b569214aa3feacd | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.10.99 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.99" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.15.22 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.15.22" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.16.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.16.8" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.17" | en |
Affected
| ||||||