CVE-2024-56665

bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog

Syzbot reported [1] crash that happens for following tracing scenario:

- create tracepoint perf event with attr.inherit=1, attach it to the
process and set bpf program to it
- attached process forks -> chid creates inherited event

the new child event shares the parent's bpf program and tp_event
(hence prog_array) which is global for tracepoint

- exit both process and its child -> release both events
- first perf_event_detach_bpf_prog call will release tp_event->prog_array
and second perf_event_detach_bpf_prog will crash, because
tp_event->prog_array is NULL

The fix makes sure the perf_event_detach_bpf_prog checks prog_array
is valid before it tries to remove the bpf program from it.

[1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-27 CVE Reserved
2024-12-27 CVE Published
2024-12-27 CVE Updated
2024-12-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/7a5c653ede645693422e43cccaa3e8f905d21c74	Vuln. Introduced
https://git.kernel.org/stable/c/21db2f35fa97e4a3447f2edeb7b2569a8bfdc83b	Vuln. Introduced
https://git.kernel.org/stable/c/0ee288e69d033850bc87abe0f9cc3ada24763d7f	Vuln. Introduced
https://git.kernel.org/stable/c/b4007d5fe38625b8a1b8edc0f385d86527651238	Vuln. Introduced
https://git.kernel.org/stable/c/585674b9d0d80bd7f428b1f88be13cf6d5d6f739	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/842e5af282453983586e2eae3c8eaf252de5f22f	2024-12-19
https://git.kernel.org/stable/c/c2b6b47662d5f2dfce92e5ffbdcac8229f321d9d	2024-12-19
https://git.kernel.org/stable/c/dfb15ddf3b65e0df2129f9756d1b4fa78055cdb3	2024-12-19
https://git.kernel.org/stable/c/978c4486cca5c7b9253d3ab98a88c8e769cb9bbd	2024-12-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.115 < 6.1.121 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.115 < 6.1.121"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.59 < 6.6.67 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.59 < 6.6.67"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12 < 6.12.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12 < 6.12.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12 < 6.13-rc3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12 < 6.13-rc3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.170 Search vendor "Linux" for product "Linux Kernel" and version "5.15.170"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.11.6 Search vendor "Linux" for product "Linux Kernel" and version "6.11.6"		en		Affected