CVE-2024-43870 Affecting kernel-docs package, versions <6.4.0-150600.23.25.2


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES156-KERNELDOCS-8174338
  • published10 Oct 2024
  • disclosed9 Oct 2024

Introduced: 9 Oct 2024

CVE-2024-43870  (opens in a new tab)

How to fix?

Upgrade SLES:15.6 kernel-docs to version 6.4.0-150600.23.25.2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-docs package and not the kernel-docs package as distributed by SLES. See How to fix? for SLES:15.6 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix event leak upon exit

When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work.

However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario:

TASK A
-----

do_exit() exit_task_work(tsk);

&lt;IRQ&gt; perf_event_overflow() event-&gt;pending_sigtrap = pending_id; irq_work_queue(&amp;event-&gt;pending_irq); &lt;/IRQ&gt; =========&gt; PREEMPTION: TASK A -&gt; TASK B event_sched_out() event-&gt;pending_sigtrap = 0; atomic_long_inc_not_zero(&amp;event-&gt;refcount) // FAILS: task work has exited task_work_add(&amp;event-&gt;pending_task) [...] &lt;IRQ WORK&gt; perf_pending_irq() // early return: event-&gt;oncpu = -1 &lt;/IRQ WORK&gt; [...] =========&gt; TASK B -&gt; TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&amp;event-&gt;refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2

As a result the event is never released while the task exits.

Fix this with appropriate task_work_add()'s error handling.

CVSS Scores

version 3.1