CVE-2025-38267 (GCVE-0-2025-38267)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2026-05-11 21:24
VLAI
Title
ring-buffer: Do not trigger WARN_ON() due to a commit_overrun
Summary
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as "missed_events". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 </TASK> irq event stamp: 5080 hardirqs last enabled at (5079): [<ffffffff83e0adb0>] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [<ffffffff83e0aa83>] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [<ffffffff81516122>] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [<ffffffff815163f7>] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < b8df8cb8f7eef52baa9ac5bf36a405ca67945a91 (git)
Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < e018053632bad8ee0752242c7d2cffb0bbf45404 (git)
Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < 4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4 (git)
Create a notification for this product.
Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8df8cb8f7eef52baa9ac5bf36a405ca67945a91",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            },
            {
              "lessThan": "e018053632bad8ee0752242c7d2cffb0bbf45404",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            },
            {
              "lessThan": "4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not trigger WARN_ON() due to a commit_overrun\n\nWhen reading a memory mapped buffer the reader page is just swapped out\nwith the last page written in the write buffer. If the reader page is the\nsame as the commit buffer (the buffer that is currently being written to)\nit was assumed that it should never have missed events. If it does, it\ntriggers a WARN_ON_ONCE().\n\nBut there just happens to be one scenario where this can legitimately\nhappen. That is on a commit_overrun. A commit overrun is when an interrupt\npreempts an event being written to the buffer and then the interrupt adds\nso many new events that it fills and wraps the buffer back to the commit.\nAny new events would then be dropped and be reported as \"missed_events\".\n\nIn this case, the next page to read is the commit buffer and after the\nswap of the reader page, the reader page will be the commit buffer, but\nthis time there will be missed events and this triggers the following\nwarning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780\n Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff \u003c0f\u003e 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50\n RSP: 0018:ffff888121787dc0 EFLAGS: 00010002\n RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49\n RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8\n RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982\n R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00\n R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008\n FS:  00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  ? __pfx_ring_buffer_map_get_reader+0x10/0x10\n  tracing_buffers_ioctl+0x283/0x370\n  __x64_sys_ioctl+0x134/0x190\n  do_syscall_64+0x79/0x1c0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f95c8de48db\n Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 \u003c89\u003e c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db\n RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006\n RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90\n  \u003c/TASK\u003e\n irq event stamp: 5080\n hardirqs last  enabled at (5079): [\u003cffffffff83e0adb0\u003e] _raw_spin_unlock_irqrestore+0x50/0x70\n hardirqs last disabled at (5080): [\u003cffffffff83e0aa83\u003e] _raw_spin_lock_irqsave+0x63/0x70\n softirqs last  enabled at (4182): [\u003cffffffff81516122\u003e] handle_softirqs+0x552/0x710\n softirqs last disabled at (4159): [\u003cffffffff815163f7\u003e] __irq_exit_rcu+0x107/0x210\n ---[ end trace 0000000000000000 ]---\n\nThe above was triggered by running on a kernel with both lockdep and KASAN\nas well as kmemleak enabled and executing the following command:\n\n # perf record -o perf-test.dat -a -- trace-cmd record --nosplice  -e all -p function hackbench 50\n\nWith perf interjecting a lot of interrupts and trace-cmd enabling all\nevents as well as function tracing, with lockdep, KASAN and kmemleak\nenabled, it could cause an interrupt preempting an event being written to\nadd enough event\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:24:34.104Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8df8cb8f7eef52baa9ac5bf36a405ca67945a91"
        },
        {
          "url": "https://git.kernel.org/stable/c/e018053632bad8ee0752242c7d2cffb0bbf45404"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4"
        }
      ],
      "title": "ring-buffer: Do not trigger WARN_ON() due to a commit_overrun",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38267",
    "datePublished": "2025-07-10T07:41:50.551Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2026-05-11T21:24:34.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38267",
      "date": "2026-06-20",
      "epss": "0.00172",
      "percentile": "0.06773"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38267\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-10T08:15:24.833\",\"lastModified\":\"2025-11-18T18:33:03.180\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Do not trigger WARN_ON() due to a commit_overrun\\n\\nWhen reading a memory mapped buffer the reader page is just swapped out\\nwith the last page written in the write buffer. If the reader page is the\\nsame as the commit buffer (the buffer that is currently being written to)\\nit was assumed that it should never have missed events. If it does, it\\ntriggers a WARN_ON_ONCE().\\n\\nBut there just happens to be one scenario where this can legitimately\\nhappen. That is on a commit_overrun. A commit overrun is when an interrupt\\npreempts an event being written to the buffer and then the interrupt adds\\nso many new events that it fills and wraps the buffer back to the commit.\\nAny new events would then be dropped and be reported as \\\"missed_events\\\".\\n\\nIn this case, the next page to read is the commit buffer and after the\\nswap of the reader page, the reader page will be the commit buffer, but\\nthis time there will be missed events and this triggers the following\\nwarning:\\n\\n ------------[ cut here ]------------\\n WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780\\n Modules linked in: kvm_intel kvm irqbypass\\n CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780\\n Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff \u003c0f\u003e 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50\\n RSP: 0018:ffff888121787dc0 EFLAGS: 00010002\\n RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49\\n RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8\\n RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982\\n R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00\\n R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008\\n FS:  00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000\\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0\\n Call Trace:\\n  \u003cTASK\u003e\\n  ? __pfx_ring_buffer_map_get_reader+0x10/0x10\\n  tracing_buffers_ioctl+0x283/0x370\\n  __x64_sys_ioctl+0x134/0x190\\n  do_syscall_64+0x79/0x1c0\\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n RIP: 0033:0x7f95c8de48db\\n Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 \u003c89\u003e c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00\\n RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\n RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db\\n RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006\\n RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90\\n  \u003c/TASK\u003e\\n irq event stamp: 5080\\n hardirqs last  enabled at (5079): [\u003cffffffff83e0adb0\u003e] _raw_spin_unlock_irqrestore+0x50/0x70\\n hardirqs last disabled at (5080): [\u003cffffffff83e0aa83\u003e] _raw_spin_lock_irqsave+0x63/0x70\\n softirqs last  enabled at (4182): [\u003cffffffff81516122\u003e] handle_softirqs+0x552/0x710\\n softirqs last disabled at (4159): [\u003cffffffff815163f7\u003e] __irq_exit_rcu+0x107/0x210\\n ---[ end trace 0000000000000000 ]---\\n\\nThe above was triggered by running on a kernel with both lockdep and KASAN\\nas well as kmemleak enabled and executing the following command:\\n\\n # perf record -o perf-test.dat -a -- trace-cmd record --nosplice  -e all -p function hackbench 50\\n\\nWith perf interjecting a lot of interrupts and trace-cmd enabling all\\nevents as well as function tracing, with lockdep, KASAN and kmemleak\\nenabled, it could cause an interrupt preempting an event being written to\\nadd enough event\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: No se activa WARN_ON() debido a un commit_overrun. Al leer un b\u00fafer asignado a memoria, la p\u00e1gina del lector simplemente se intercambia con la \u00faltima p\u00e1gina escrita en el b\u00fafer de escritura. Si la p\u00e1gina del lector coincide con el b\u00fafer de confirmaci\u00f3n (el b\u00fafer en el que se est\u00e1 escribiendo), se asum\u00eda que nunca deber\u00eda haber omitido eventos. Si lo hace, activa WARN_ON_ONCE(). Sin embargo, existe un escenario donde esto puede ocurrir leg\u00edtimamente: un commit_overrun. Un commit_overrun ocurre cuando una interrupci\u00f3n adelanta un evento que se est\u00e1 escribiendo en el b\u00fafer y luego la interrupci\u00f3n agrega tantos eventos nuevos que llena y envuelve el b\u00fafer de nuevo en la confirmaci\u00f3n. Cualquier evento nuevo se descartar\u00eda y se reportar\u00eda como \\\"missed_events\\\". En este caso, la siguiente p\u00e1gina a leer es el b\u00fafer de confirmaci\u00f3n y despu\u00e9s del intercambio de la p\u00e1gina del lector, la p\u00e1gina del lector ser\u00e1 el b\u00fafer de confirmaci\u00f3n, pero esta vez habr\u00e1 eventos perdidos y esto activa la siguiente advertencia: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff \u0026lt;0f\u0026gt; 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace:  ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 \u0026lt;89\u0026gt; c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90  irq event stamp: 5080 hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210 ---[ fin del seguimiento 0000000000000000 ]--- Lo anterior se activ\u00f3 al ejecutar un kernel con lockdep y KASAN, as\u00ed como kmemleak habilitados, y al ejecutar el siguiente comando: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 Con perf intercalando muchas interrupciones y trace-cmd habilitando todos los eventos as\u00ed como el seguimiento de funciones, con lockdep, KASAN y kmemleak habilitados, podr\u00eda causar una interrupci\u00f3n que interrumpa la escritura de un evento para agregar suficiente evento ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.12.34\",\"matchCriteriaId\":\"F6499D2B-1E57-44BB-866C-D74E63C32759\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.3\",\"matchCriteriaId\":\"0541C761-BD5E-4C1A-8432-83B375D7EB92\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b8df8cb8f7eef52baa9ac5bf36a405ca67945a91\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e018053632bad8ee0752242c7d2cffb0bbf45404\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.