CVE-2024-57849: s390/cpum_sf: Handle CPU hotplug remove during sampling
Description
In the Linux kernel, the following vulnerability has been resolved:
s390/cpum_sf: Handle CPU hotplug remove during sampling
CPU hotplug remove handling triggers the following function
call sequence:
CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()
...
CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()
The s390 CPUMF sampling CPU hotplug handler invokes:
s390_pmu_sf_offline_cpu()
+--> cpusf_pmu_setup()
+--> setup_pmc_cpu()
+--> deallocate_buffers()
This function de-allocates all sampling data buffers (SDBs) allocated
for that CPU at event initialization. It also clears the
PMU_F_RESERVED bit. The CPU is gone and can not be sampled.
With the event still being active on the removed CPU, the CPU event
hotplug support in kernel performance subsystem triggers the
following function calls on the removed CPU:
perf_event_exit_cpu()
+--> perf_event_exit_cpu_context()
+--> __perf_event_exit_context()
+--> __perf_remove_from_context()
+--> event_sched_out()
+--> cpumsf_pmu_del()
+--> cpumsf_pmu_stop()
+--> hw_perf_event_update()
to stop and remove the event. During removal of the event, the
sampling device driver tries to read out the remaining samples from
the sample data buffers (SDBs). But they have already been freed
(and may have been re-assigned). This may lead to a use after free
situation in which case the samples are most likely ...
Classification
CVE ID: CVE-2024-57849
Affected Products
Vendor: Linux
Product: Linux
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 12.38% (scored less or equal to compared to others)
EPSS Date: 2025-02-09 (when was this score calculated)
References
https://git.kernel.org/stable/c/238e3af849dfdcb1faed544349f7025e533f9aabhttps://git.kernel.org/stable/c/99192c735ed4bfdff0d215ec85c8a87a677cb898
https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8
https://git.kernel.org/stable/c/b5be6a0bb639d165c8418d8dddd8f322587be8be
https://git.kernel.org/stable/c/a69752f1e5de817941a2ea0609254f6f25acd274
https://git.kernel.org/stable/c/be54e6e0f93a39a9c00478d70d12956a5f3d5b9b
https://git.kernel.org/stable/c/a0bd7dacbd51c632b8e2c0500b479af564afadf3