// For flags

CVE-2024-43870

perf: Fix event leak upon exit

Severity Score

5.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix event leak upon exit

When a task is scheduled out, pending sigtrap deliveries are deferred
to the target task upon resume to userspace via task_work.

However failures while adding an event's callback to the task_work
engine are ignored. And since the last call for events exit happen
after task work is eventually closed, there is a small window during
which pending sigtrap can be queued though ignored, leaking the event
refcount addition such as in the following scenario:

TASK A
-----

do_exit()
exit_task_work(tsk);

<IRQ>
perf_event_overflow()
event->pending_sigtrap = pending_id;
irq_work_queue(&event->pending_irq);
</IRQ>
=========> PREEMPTION: TASK A -> TASK B
event_sched_out()
event->pending_sigtrap = 0;
atomic_long_inc_not_zero(&event->refcount)
// FAILS: task work has exited
task_work_add(&event->pending_task)
[...]
<IRQ WORK>
perf_pending_irq()
// early return: event->oncpu = -1
</IRQ WORK>
[...]
=========> TASK B -> TASK A
perf_event_exit_task(tsk)
perf_event_exit_event()
free_event()
WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)
// leak event due to unexpected refcount == 2

As a result the event is never released while the task exits.

Fix this with appropriate task_work_add()'s error handling.

A logical flaw exists in the Linux kernel.  When a task is scheduled, pending sigtrap deliveries are deferred to the target task upon resuming to userspace via task_work. However, failures are ignored while adding an event's callback to the task_work engine. Since the last call for the event exit happens after task work is eventually closed, there is a small window where the pending sigtrap can be queued to be ignored.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-08-17 CVE Reserved
  • 2024-08-21 CVE Published
  • 2024-08-21 EPSS Updated
  • 2024-11-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-404: Improper Resource Shutdown or Release
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.15.84 < 5.15.165
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.84 < 5.15.165"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 6.1 < 6.1.103
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.103"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 6.1 < 6.6.44
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.44"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 6.1 < 6.10.3
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.10.3"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 6.1 < 6.11
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.11"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.0.14
Search vendor "Linux" for product "Linux Kernel" and version "6.0.14"
en
Affected