Bug 2334534 (CVE-2024-56665) - CVE-2024-56665 kernel: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog
Summary: CVE-2024-56665 kernel: bpf,perf: Fix invalid prog_array access in perf_event_...
Keywords:
Status: NEW
Alias: CVE-2024-56665
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-27 16:01 UTC by OSIDB Bzimport
Modified: 2025-02-05 19:05 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-12-27 16:01:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog

Syzbot reported [1] crash that happens for following tracing scenario:

  - create tracepoint perf event with attr.inherit=1, attach it to the
    process and set bpf program to it
  - attached process forks -> chid creates inherited event

    the new child event shares the parent's bpf program and tp_event
    (hence prog_array) which is global for tracepoint

  - exit both process and its child -> release both events
  - first perf_event_detach_bpf_prog call will release tp_event->prog_array
    and second perf_event_detach_bpf_prog will crash, because
    tp_event->prog_array is NULL

The fix makes sure the perf_event_detach_bpf_prog checks prog_array
is valid before it tries to remove the bpf program from it.

[1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad
Comment 1 Avinash Hanwate 2024-12-28 03:31:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024122753-CVE-2024-56665-5df3@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.