{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43870", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-17T09:11:59.280Z", "datePublished": "2024-08-21T00:06:21.878Z", "dateUpdated": "2024-11-05T09:41:29.799Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:41:29.799Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n <IRQ>\n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n </IRQ>\n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n <IRQ WORK>\n perf_pending_irq()\n // early return: event->oncpu = -1\n </IRQ WORK>\n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "8bffa95ac19f", "lessThan": "67fad724f1b5", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "70882d7fa74f", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "05d3fd599594", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "3d7a63352a93", "status": "affected", "versionType": "git"}, {"version": "517e6a301f34", "lessThan": "2fd5ad3f310d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.165", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.103", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.44", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.3", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7"}, {"url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831"}, {"url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51"}, {"url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a"}, {"url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b"}], "title": "perf: Fix event leak upon exit", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:06:23.024053Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:33:18.734Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:06:23.024053Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:22.695Z"}}], "cna": {"title": "perf: Fix event leak upon exit", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8bffa95ac19f", "lessThan": "67fad724f1b5", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "70882d7fa74f", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "05d3fd599594", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "3d7a63352a93", "versionType": "git"}, {"status": "affected", "version": "517e6a301f34", "lessThan": "2fd5ad3f310d", "versionType": "git"}], "programFiles": ["kernel/events/core.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1"}, {"status": "unaffected", "version": "0", "lessThan": "6.1", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.165", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.103", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.44", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.3", "versionType": "custom", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/events/core.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7"}, {"url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831"}, {"url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51"}, {"url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a"}, {"url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n <IRQ>\n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n </IRQ>\n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n <IRQ WORK>\n perf_pending_irq()\n // early return: event->oncpu = -1\n </IRQ WORK>\n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-09-15T17:54:38.302Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43870", "state": "PUBLISHED", "dateUpdated": "2024-09-15T17:54:38.302Z", "dateReserved": "2024-08-17T09:11:59.280Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-21T00:06:21.878Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n <IRQ>\n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n </IRQ>\n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n <IRQ WORK>\n perf_pending_irq()\n // early return: event->oncpu = -1\n </IRQ WORK>\n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling."}], "id": "CVE-2024-43870", "lastModified": "2024-08-21T12:30:33.697", "metrics": {}, "published": "2024-08-21T01:15:11.620", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: perf: Fix event leak upon exit", "id": "2306364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2306364"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-404", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nperf: Fix event leak upon exit\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\nTASK A\n-----\ndo_exit()\nexit_task_work(tsk);\n<IRQ>\nperf_event_overflow()\nevent->pending_sigtrap = pending_id;\nirq_work_queue(&event->pending_irq);\n</IRQ>\n=========> PREEMPTION: TASK A -> TASK B\nevent_sched_out()\nevent->pending_sigtrap = 0;\natomic_long_inc_not_zero(&event->refcount)\n// FAILS: task work has exited\ntask_work_add(&event->pending_task)\n[...]\n<IRQ WORK>\nperf_pending_irq()\n// early return: event->oncpu = -1\n</IRQ WORK>\n[...]\n=========> TASK B -> TASK A\nperf_event_exit_task(tsk)\nperf_event_exit_event()\nfree_event()\nWARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n// leak event due to unexpected refcount == 2\nAs a result the event is never released while the task exits.\nFix this with appropriate task_work_add()'s error handling.", "A logical flaw exists in the Linux kernel.\u00a0 When a task is scheduled, pending sigtrap deliveries are deferred to the target task upon resuming to userspace via task_work. However, failures are ignored while adding an event's callback to the task_work engine. Since the last call for the event exit happens after task work is eventually closed, there is a small window where the pending sigtrap can be queued to be ignored."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-43870", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-43870\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43870\nhttps://lore.kernel.org/linux-cve-announce/2024082135-CVE-2024-43870-2b6f@gregkh/T"], "threat_severity": "Moderate"}