ghsa-r823-qmw9-v7xf
Vulnerability from github
Published
2024-05-21 18:31
Modified
2024-05-21 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

drivers: perf: Do not broadcast to other cpus when starting a counter

This command:

$ perf record -e cycles:k -e instructions:k -c 10000 -m 64M dd if=/dev/zero of=/dev/null count=1000

gives rise to this kernel warning:

[ 444.364395] WARNING: CPU: 0 PID: 104 at kernel/smp.c:775 smp_call_function_many_cond+0x42c/0x436 [ 444.364515] Modules linked in: [ 444.364657] CPU: 0 PID: 104 Comm: perf-exec Not tainted 6.6.0-rc6-00051-g391df82e8ec3-dirty #73 [ 444.364771] Hardware name: riscv-virtio,qemu (DT) [ 444.364868] epc : smp_call_function_many_cond+0x42c/0x436 [ 444.364917] ra : on_each_cpu_cond_mask+0x20/0x32 [ 444.364948] epc : ffffffff8009f9e0 ra : ffffffff8009fa5a sp : ff20000000003800 [ 444.364966] gp : ffffffff81500aa0 tp : ff60000002b83000 t0 : ff200000000038c0 [ 444.364982] t1 : ffffffff815021f0 t2 : 000000000000001f s0 : ff200000000038b0 [ 444.364998] s1 : ff60000002c54d98 a0 : ff60000002a73940 a1 : 0000000000000000 [ 444.365013] a2 : 0000000000000000 a3 : 0000000000000003 a4 : 0000000000000100 [ 444.365029] a5 : 0000000000010100 a6 : 0000000000f00000 a7 : 0000000000000000 [ 444.365044] s2 : 0000000000000000 s3 : ffffffffffffffff s4 : ff60000002c54d98 [ 444.365060] s5 : ffffffff81539610 s6 : ffffffff80c20c48 s7 : 0000000000000000 [ 444.365075] s8 : 0000000000000000 s9 : 0000000000000001 s10: 0000000000000001 [ 444.365090] s11: ffffffff80099394 t3 : 0000000000000003 t4 : 00000000eac0c6e6 [ 444.365104] t5 : 0000000400000000 t6 : ff60000002e010d0 [ 444.365120] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 444.365226] [] smp_call_function_many_cond+0x42c/0x436 [ 444.365295] [] on_each_cpu_cond_mask+0x20/0x32 [ 444.365311] [] pmu_sbi_ctr_start+0x7a/0xaa [ 444.365327] [] riscv_pmu_start+0x48/0x66 [ 444.365339] [] perf_adjust_freq_unthr_context+0x196/0x1ac [ 444.365356] [] perf_event_task_tick+0x78/0x8c [ 444.365368] [] scheduler_tick+0xe6/0x25e [ 444.365383] [] update_process_times+0x80/0x96 [ 444.365398] [] tick_sched_handle+0x26/0x52 [ 444.365410] [] tick_sched_timer+0x50/0x98 [ 444.365422] [] __hrtimer_run_queues+0x126/0x18a [ 444.365433] [] hrtimer_interrupt+0xce/0x1da [ 444.365444] [] riscv_timer_interrupt+0x30/0x3a [ 444.365457] [] handle_percpu_devid_irq+0x80/0x114 [ 444.365470] [] generic_handle_domain_irq+0x1c/0x2a [ 444.365483] [] riscv_intc_irq+0x2e/0x46 [ 444.365497] [] handle_riscv_irq+0x4a/0x74 [ 444.365521] [] do_irq+0x7c/0x7e [ 444.365796] ---[ end trace 0000000000000000 ]---

That's because the fix in commit 3fec323339a4 ("drivers: perf: Fix panic in riscv SBI mmap support") was wrong since there is no need to broadcast to other cpus when starting a counter, that's only needed in mmap when the counters could have already been started on other cpus, so simply remove this broadcast.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52839"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:21Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: Do not broadcast to other cpus when starting a counter\n\nThis command:\n\n$ perf record -e cycles:k -e instructions:k -c 10000 -m 64M dd if=/dev/zero of=/dev/null count=1000\n\ngives rise to this kernel warning:\n\n[  444.364395] WARNING: CPU: 0 PID: 104 at kernel/smp.c:775 smp_call_function_many_cond+0x42c/0x436\n[  444.364515] Modules linked in:\n[  444.364657] CPU: 0 PID: 104 Comm: perf-exec Not tainted 6.6.0-rc6-00051-g391df82e8ec3-dirty #73\n[  444.364771] Hardware name: riscv-virtio,qemu (DT)\n[  444.364868] epc : smp_call_function_many_cond+0x42c/0x436\n[  444.364917]  ra : on_each_cpu_cond_mask+0x20/0x32\n[  444.364948] epc : ffffffff8009f9e0 ra : ffffffff8009fa5a sp : ff20000000003800\n[  444.364966]  gp : ffffffff81500aa0 tp : ff60000002b83000 t0 : ff200000000038c0\n[  444.364982]  t1 : ffffffff815021f0 t2 : 000000000000001f s0 : ff200000000038b0\n[  444.364998]  s1 : ff60000002c54d98 a0 : ff60000002a73940 a1 : 0000000000000000\n[  444.365013]  a2 : 0000000000000000 a3 : 0000000000000003 a4 : 0000000000000100\n[  444.365029]  a5 : 0000000000010100 a6 : 0000000000f00000 a7 : 0000000000000000\n[  444.365044]  s2 : 0000000000000000 s3 : ffffffffffffffff s4 : ff60000002c54d98\n[  444.365060]  s5 : ffffffff81539610 s6 : ffffffff80c20c48 s7 : 0000000000000000\n[  444.365075]  s8 : 0000000000000000 s9 : 0000000000000001 s10: 0000000000000001\n[  444.365090]  s11: ffffffff80099394 t3 : 0000000000000003 t4 : 00000000eac0c6e6\n[  444.365104]  t5 : 0000000400000000 t6 : ff60000002e010d0\n[  444.365120] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n[  444.365226] [\u003cffffffff8009f9e0\u003e] smp_call_function_many_cond+0x42c/0x436\n[  444.365295] [\u003cffffffff8009fa5a\u003e] on_each_cpu_cond_mask+0x20/0x32\n[  444.365311] [\u003cffffffff806e90dc\u003e] pmu_sbi_ctr_start+0x7a/0xaa\n[  444.365327] [\u003cffffffff806e880c\u003e] riscv_pmu_start+0x48/0x66\n[  444.365339] [\u003cffffffff8012111a\u003e] perf_adjust_freq_unthr_context+0x196/0x1ac\n[  444.365356] [\u003cffffffff801237aa\u003e] perf_event_task_tick+0x78/0x8c\n[  444.365368] [\u003cffffffff8003faf4\u003e] scheduler_tick+0xe6/0x25e\n[  444.365383] [\u003cffffffff8008a042\u003e] update_process_times+0x80/0x96\n[  444.365398] [\u003cffffffff800991ec\u003e] tick_sched_handle+0x26/0x52\n[  444.365410] [\u003cffffffff800993e4\u003e] tick_sched_timer+0x50/0x98\n[  444.365422] [\u003cffffffff8008a6aa\u003e] __hrtimer_run_queues+0x126/0x18a\n[  444.365433] [\u003cffffffff8008b350\u003e] hrtimer_interrupt+0xce/0x1da\n[  444.365444] [\u003cffffffff806cdc60\u003e] riscv_timer_interrupt+0x30/0x3a\n[  444.365457] [\u003cffffffff8006afa6\u003e] handle_percpu_devid_irq+0x80/0x114\n[  444.365470] [\u003cffffffff80065b82\u003e] generic_handle_domain_irq+0x1c/0x2a\n[  444.365483] [\u003cffffffff8045faec\u003e] riscv_intc_irq+0x2e/0x46\n[  444.365497] [\u003cffffffff808a9c62\u003e] handle_riscv_irq+0x4a/0x74\n[  444.365521] [\u003cffffffff808aa760\u003e] do_irq+0x7c/0x7e\n[  444.365796] ---[ end trace 0000000000000000 ]---\n\nThat\u0027s because the fix in commit 3fec323339a4 (\"drivers: perf: Fix panic\nin riscv SBI mmap support\") was wrong since there is no need to broadcast\nto other cpus when starting a counter, that\u0027s only needed in mmap when\nthe counters could have already been started on other cpus, so simply\nremove this broadcast.",
  "id": "GHSA-r823-qmw9-v7xf",
  "modified": "2024-05-21T18:31:22Z",
  "published": "2024-05-21T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52839"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61e3d993c8bd3e80f8f1363ed5e04f88ab531b72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85be1a73fd298ed3fd060dfce97caef5f9928c57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.