CVE-2024-43869 (GCVE-0-2024-43869)

Vulnerability from cvelistv5 – Published: 2024-08-21 00:06 – Updated: 2025-11-03 22:06
VLAI?
Title
perf: Fix event leak upon exec and file release
Summary
In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exec and file release The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> <NMI> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= </NMI> perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> <IRQ> perf_pending_irq() //do nothing, rely on pending task work <======= </IRQ> begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed.
Severity ?
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 8bffa95ac19ff27c8261904f89d36c7fcf215d59 , < 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 (git)
Affected: 517e6a301f34613bff24a8e35b5455884f2d83d8 , < ed2c202dac55423a52d7e2290f2888bf08b8ee99 (git)
Affected: 517e6a301f34613bff24a8e35b5455884f2d83d8 , < 104e258a004037bc7dba9f6085c71dad6af57ad4 (git)
Affected: 517e6a301f34613bff24a8e35b5455884f2d83d8 , < f34d8307a73a18de5320fcc6f40403146d061891 (git)
Affected: 517e6a301f34613bff24a8e35b5455884f2d83d8 , < 3a5465418f5fd970e86a86c7f4075be262682840 (git)
Affected: 78e1317a174edbfd1182599bf76c092a2877672c (git)
Create a notification for this product.
    Linux Linux Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 5.15.165 , ≤ 5.15.* (semver)
Unaffected: 6.1.103 , ≤ 6.1.* (semver)
Unaffected: 6.6.44 , ≤ 6.6.* (semver)
Unaffected: 6.10.3 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:06:26.274126Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:18.868Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:06:17.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ad46f1fef421d43cdab3a7d1744b2f43b54dae0",
              "status": "affected",
              "version": "8bffa95ac19ff27c8261904f89d36c7fcf215d59",
              "versionType": "git"
            },
            {
              "lessThan": "ed2c202dac55423a52d7e2290f2888bf08b8ee99",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "104e258a004037bc7dba9f6085c71dad6af57ad4",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "f34d8307a73a18de5320fcc6f40403146d061891",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "3a5465418f5fd970e86a86c7f4075be262682840",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "78e1317a174edbfd1182599bf76c092a2877672c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.165",
                  "versionStartIncluding": "5.15.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.103",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn\u0027t even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n   prepare_task_switch()\n=======\u003e \u003cNMI\u003e\n      perf_event_overflow()\n         event-\u003epending_sigtrap = ...\n         irq_work_queue(\u0026event-\u003epending_irq)\n\u003c======= \u003c/NMI\u003e\n      perf_event_task_sched_out()\n          event_sched_out()\n              event-\u003epending_sigtrap = 0;\n              atomic_long_inc_not_zero(\u0026event-\u003erefcount)\n              task_work_add(\u0026event-\u003epending_task)\n   finish_lock_switch()\n=======\u003e \u003cIRQ\u003e\n   perf_pending_irq()\n      //do nothing, rely on pending task work\n\u003c======= \u003c/IRQ\u003e\n\nbegin_new_exec()\n   perf_event_exit_task()\n      perf_event_exit_event()\n         // If is child event\n         free_event()\n            WARN(atomic_long_cmpxchg(\u0026event-\u003erefcount, 1, 0) != 1)\n            // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:15.693Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99"
        },
        {
          "url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840"
        }
      ],
      "title": "perf: Fix event leak upon exec and file release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43869",
    "datePublished": "2024-08-21T00:06:20.807Z",
    "dateReserved": "2024-08-17T09:11:59.280Z",
    "dateUpdated": "2025-11-03T22:06:17.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43869\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T16:06:26.274126Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:22.719Z\"}}], \"cna\": {\"title\": \"perf: Fix event leak upon exec and file release\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"8bffa95ac19ff27c8261904f89d36c7fcf215d59\", \"lessThan\": \"9ad46f1fef421d43cdab3a7d1744b2f43b54dae0\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"517e6a301f34613bff24a8e35b5455884f2d83d8\", \"lessThan\": \"ed2c202dac55423a52d7e2290f2888bf08b8ee99\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"517e6a301f34613bff24a8e35b5455884f2d83d8\", \"lessThan\": \"104e258a004037bc7dba9f6085c71dad6af57ad4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"517e6a301f34613bff24a8e35b5455884f2d83d8\", \"lessThan\": \"f34d8307a73a18de5320fcc6f40403146d061891\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"517e6a301f34613bff24a8e35b5455884f2d83d8\", \"lessThan\": \"3a5465418f5fd970e86a86c7f4075be262682840\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"78e1317a174edbfd1182599bf76c092a2877672c\", \"versionType\": \"git\"}], \"programFiles\": [\"include/linux/perf_event.h\", \"kernel/events/core.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.1\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.1\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.165\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.103\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.44\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"include/linux/perf_event.h\", \"kernel/events/core.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0\"}, {\"url\": \"https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99\"}, {\"url\": \"https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4\"}, {\"url\": \"https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891\"}, {\"url\": \"https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: Fix event leak upon exec and file release\\n\\nThe perf pending task work is never waited upon the matching event\\nrelease. In the case of a child event, released via free_event()\\ndirectly, this can potentially result in a leaked event, such as in the\\nfollowing scenario that doesn\u0027t even require a weak IRQ work\\nimplementation to trigger:\\n\\nschedule()\\n   prepare_task_switch()\\n=======\u003e \u003cNMI\u003e\\n      perf_event_overflow()\\n         event-\u003epending_sigtrap = ...\\n         irq_work_queue(\u0026event-\u003epending_irq)\\n\u003c======= \u003c/NMI\u003e\\n      perf_event_task_sched_out()\\n          event_sched_out()\\n              event-\u003epending_sigtrap = 0;\\n              atomic_long_inc_not_zero(\u0026event-\u003erefcount)\\n              task_work_add(\u0026event-\u003epending_task)\\n   finish_lock_switch()\\n=======\u003e \u003cIRQ\u003e\\n   perf_pending_irq()\\n      //do nothing, rely on pending task work\\n\u003c======= \u003c/IRQ\u003e\\n\\nbegin_new_exec()\\n   perf_event_exit_task()\\n      perf_event_exit_event()\\n         // If is child event\\n         free_event()\\n            WARN(atomic_long_cmpxchg(\u0026event-\u003erefcount, 1, 0) != 1)\\n            // event is leaked\\n\\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\\nsimply against concurrent perf_event_release().\\n\\nFix this with synchonizing against the possibly remaining pending task\\nwork while freeing the event, just like is done with remaining pending\\nIRQ work. This means that the pending task callback neither need nor\\nshould hold a reference to the event, preventing it from ever beeing\\nfreed.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.165\", \"versionStartIncluding\": \"5.15.84\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.103\", \"versionStartIncluding\": \"6.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.44\", \"versionStartIncluding\": \"6.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.3\", \"versionStartIncluding\": \"6.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.0.14\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:58:15.693Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43869\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:58:15.693Z\", \"dateReserved\": \"2024-08-17T09:11:59.280Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-21T00:06:20.807Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…