{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43869", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-17T09:11:59.280Z", "datePublished": "2024-08-21T00:06:20.807Z", "dateUpdated": "2024-11-05T09:41:28.637Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:41:28.637Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> <NMI>\n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= </NMI>\n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> <IRQ>\n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= </IRQ>\n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/perf_event.h", "kernel/events/core.c"], "versions": [{"version": "8bffa95ac19f", "lessThan": "9ad46f1fef42", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "ed2c202dac55", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "104e258a0040", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "f34d8307a73a", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "3a5465418f5f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/perf_event.h", "kernel/events/core.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.165", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.103", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.44", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.3", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0"}, {"url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99"}, {"url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4"}, {"url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891"}, {"url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840"}], "title": "perf: Fix event leak upon exec and file release", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:06:26.274126Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:33:18.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:06:26.274126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:22.719Z"}}], "cna": {"title": "perf: Fix event leak upon exec and file release", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8bffa95ac19f", "lessThan": "9ad46f1fef42", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "ed2c202dac55", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "104e258a0040", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "f34d8307a73a", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "3a5465418f5f", "versionType": "git"}], "programFiles": ["include/linux/perf_event.h", "kernel/events/core.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1"}, {"status": "unaffected", "version": "0", "lessThan": "6.1", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.165", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.103", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.44", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.3", "versionType": "custom", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/linux/perf_event.h", "kernel/events/core.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0"}, {"url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99"}, {"url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4"}, {"url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891"}, {"url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> <NMI>\n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= </NMI>\n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> <IRQ>\n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= </IRQ>\n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-09-15T17:54:37.178Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43869", "state": "PUBLISHED", "dateUpdated": "2024-09-15T17:54:37.178Z", "dateReserved": "2024-08-17T09:11:59.280Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-21T00:06:20.807Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> <NMI>\n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= </NMI>\n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> <IRQ>\n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= </IRQ>\n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."}], "id": "CVE-2024-43869", "lastModified": "2024-08-21T12:30:33.697", "metrics": {}, "published": "2024-08-21T01:15:11.550", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: perf: Fix event leak upon exec and file release", "id": "2306363", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2306363"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "verified"}, "cwe": "CWE-402", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nperf: Fix event leak upon exec and file release\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\nschedule()\nprepare_task_switch()\n=======> <NMI>\nperf_event_overflow()\nevent->pending_sigtrap = ...\nirq_work_queue(&event->pending_irq)\n<======= </NMI>\nperf_event_task_sched_out()\nevent_sched_out()\nevent->pending_sigtrap = 0;\natomic_long_inc_not_zero(&event->refcount)\ntask_work_add(&event->pending_task)\nfinish_lock_switch()\n=======> <IRQ>\nperf_pending_irq()\n//do nothing, rely on pending task work\n<======= </IRQ>\nbegin_new_exec()\nperf_event_exit_task()\nperf_event_exit_event()\n// If is child event\nfree_event()\nWARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n// event is leaked\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."], "name": "CVE-2024-43869", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-43869\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43869\nhttps://lore.kernel.org/linux-cve-announce/2024082133-CVE-2024-43869-26aa@gregkh/T"], "threat_severity": "Moderate"}