// For flags

CVE-2023-52476

perf/x86/lbr: Filter vsyscall addresses

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/lbr: Filter vsyscall addresses

We found that a panic can occur when a vsyscall is made while LBR sampling
is active. If the vsyscall is interrupted (NMI) for perf sampling, this
call sequence can occur (most recent at top):

__insn_get_emulate_prefix()
insn_get_emulate_prefix()
insn_get_prefixes()
insn_get_opcode()
decode_branch_type()
get_branch_type()
intel_pmu_lbr_filter()
intel_pmu_handle_irq()
perf_event_nmi_handler()

Within __insn_get_emulate_prefix() at frame 0, a macro is called:

peek_nbyte_next(insn_byte_t, insn, i)

Within this macro, this dereference occurs:

(insn)->next_byte

Inspecting registers at this point, the value of the next_byte field is the
address of the vsyscall made, for example the location of the vsyscall
version of gettimeofday() at 0xffffffffff600000. The access to an address
in the vsyscall region will trigger an oops due to an unhandled page fault.

To fix the bug, filtering for vsyscalls can be done when
determining the branch type. This patch will return
a "none" branch if a kernel address if found to lie in the
vsyscall region.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: perf/x86/lbr: Filtrar direcciones vsyscall Descubrimos que puede ocurrir un pánico cuando se realiza una vsyscall mientras el muestreo LBR está activo. Si el VSYSCALL se interrumpe (NMI) para el muestreo de Perf, esta secuencia de llamadas puede ocurrir (más reciente en la parte superior): __insn_get_emulate_prefix () insn_get_emulate_prefix () insn_get_prefixes () insn_get_opcode () decode_branch_type () get_branch_type () _pmu_handle_irq () perf_event_nmi_handler ( ) Dentro de __insn_get_emulate_prefix() en el cuadro 0, se llama una macro: peek_nbyte_next(insn_byte_t, insn, i) Dentro de esta macro, se produce esta desreferencia: (insn)->next_byte Inspeccionando registros en este punto, el valor del campo next_byte es el dirección de vsyscall realizada, por ejemplo, la ubicación de la versión vsyscall de gettimeofday() en 0xffffffffff600000. El acceso a una dirección en la región vsyscall provocará un error debido a un error de página no controlado. Para corregir el error, se puede filtrar por vsyscalls al determinar el tipo de rama. Este parche devolverá una rama "ninguna" si se encuentra que una dirección del kernel se encuentra en la región vsyscall.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-20 CVE Reserved
  • 2024-02-29 CVE Published
  • 2024-02-29 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-404: Improper Resource Shutdown or Release
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.15.137
Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.137"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.1.59
Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.59"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.5.8
Search vendor "Linux" for product "Linux Kernel" and version " < 6.5.8"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.6
Search vendor "Linux" for product "Linux Kernel" and version " < 6.6"
en
Affected