CVE-2022-49607

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

Yang Jihing reported a race between perf_event_set_output() and
perf_mmap_close():

	CPU1					CPU2

	perf_mmap_close(e2)
	  if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
	    detach_rest = true

						ioctl(e1, IOC_SET_OUTPUT, e2)
						  perf_event_set_output(e1, e2)

	  ...
	  list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
	    ring_buffer_attach(e, NULL);
	    // e1 isn't yet added and
	    // therefore not detached

						    ring_buffer_attach(e1, e2->rb)
						      list_add_rcu(&e1->rb_entry,
								   &e2->rb->event_list)

After this; e1 is attached to an unmapped rb and a subsequent
perf_mmap() will loop forever more:

	again:
		mutex_lock(&e->mmap_mutex);
		if (event->rb) {
			...
			if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
				...
				mutex_unlock(&e->mmap_mutex);
				goto again;
			}
		}

The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach
in perf_event_set_output() holds e1->mmap_mutex. As such there is no
serialization to avoid this race.

Change perf_event_set_output() to take both e1->mmap_mutex and
e2->mmap_mutex to alleviate that problem. Additionally, have the loop
in perf_mmap() detach the rb directly, this avoids having to wait for
the concurrent perf_mmap_close() to get around to doing it to make
progress.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Vendor	Product	Version
linux	linux_kernel	3.2.49 ≤ 𝑥 < 3.3
linux	linux_kernel	3.4.52 ≤ 𝑥 < 3.5
linux	linux_kernel	3.9.8 ≤ 𝑥 < 4.9.325
linux	linux_kernel	4.10 ≤ 𝑥 < 4.14.290
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.254
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.208
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.134
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.58
linux	linux_kernel	5.16 ≤ 𝑥 < 5.18.15
linux	linux_kernel	5.19:rc1
linux	linux_kernel	5.19:rc2
linux	linux_kernel	5.19:rc3
linux	linux_kernel	5.19:rc4
linux	linux_kernel	5.19:rc5
linux	linux_kernel	5.19:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.12-1 fixed
sid	6.12.16-1 fixed

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c

https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0

https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937

https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf

https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c

https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c

https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074

https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998