CVE-2022-49782

To catch missing SIGTRAP we employ a WARN in _perfeventoverflow(), which fires if pendingsigtrap was already set: returning to user space without consuming pending_sigtrap, and then having the event fire again would re-enter the kernel and trigger the WARN.

This, however, seemed to miss the case where some events not associated with progress in the user space task can fire and the interrupt handler runs before the IRQ work meant to consume pending_sigtrap (and generate the SIGTRAP).

syzbot gifted us this stack trace:

| WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 perfeventoverflow | Modules linked in: | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 | RIP: 0010:perfeventoverflow+0x498/0x540 kernel/events/core.c:9313 | <...> | Call Trace: | <TASK> | perfsweventhrtimer+0x34f/0x3c0 kernel/events/core.c:10729 | _runhrtimer kernel/time/hrtimer.c:1685 [inline] | _hrtimerrunqueues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749 | hrtimerinterrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 | localapictimerinterrupt arch/x86/kernel/apic/apic.c:1096 [inline] | _sysvecapictimerinterrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113 | sysvecapictimerinterrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107 | asmsysvecapictimerinterrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 | <...> | </TASK>

In this case, syzbot produced a program with event type PERFTYPESOFTWARE and config PERFCOUNTSWCPUCLOCK. The hrtimer manages to fire again before the IRQ work got a chance to run, all while never having returned to user space.

Improve the WARN to check for real progress in user space: approximate this by storing a 32-bit hash of the current IP into pendingsigtrap, and if an event fires while pendingsigtrap still matches the previous IP, we assume no progress (false negatives are possible given we could return to user space and trigger again on the same IP).

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ca7b0a10287e2733bdafb01ef0d4038536625fe3

Fixed

35c60b4e8ca76712dd03bafe2598e31578248916

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

078c12ccf1fb943cc18c84894c76113dc89e5975

Fixed

b09221f1b4944d2866d06ac35e59d7a6f8916c9f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ca6c21327c6af02b7eec31ce4b9a740a18c6c13f

Fixed

bb88f9695460bec25aa30ba9072595025cf6c8af

Affected versions

v5.*

v5.15.77

v5.15.78

v5.15.79

v6.*

v6.0.7

v6.0.8

v6.0.9

v6.1-rc2

v6.1-rc3

v6.1-rc4

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35c60b4e8ca76712dd03bafe2598e31578248916",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c",
            "function": "__perf_event_overflow"
        },
        "digest": {
            "length": 901.0,
            "function_hash": "233113296213275098931271347403404666013"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2022-49782-0a8b01b3"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b09221f1b4944d2866d06ac35e59d7a6f8916c9f",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c",
            "function": "__perf_event_overflow"
        },
        "digest": {
            "length": 901.0,
            "function_hash": "233113296213275098931271347403404666013"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2022-49782-1eac506d"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35c60b4e8ca76712dd03bafe2598e31578248916",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c"
        },
        "digest": {
            "line_hashes": [
                "177897569514653406747373128195129474751",
                "137583692175670209040411527039710644853",
                "3859868023879485401831881996852491982",
                "265675070952158529571131965422276227588",
                "155805079697288049909532192419985206017",
                "71783324982870168126745524155805812962",
                "257093619086909847435283770440359436160"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-49782-24d07c2b"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b09221f1b4944d2866d06ac35e59d7a6f8916c9f",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c"
        },
        "digest": {
            "line_hashes": [
                "177897569514653406747373128195129474751",
                "137583692175670209040411527039710644853",
                "3859868023879485401831881996852491982",
                "265675070952158529571131965422276227588",
                "155805079697288049909532192419985206017",
                "71783324982870168126745524155805812962",
                "257093619086909847435283770440359436160"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-49782-4ed31b8f"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb88f9695460bec25aa30ba9072595025cf6c8af",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c",
            "function": "__perf_event_overflow"
        },
        "digest": {
            "length": 901.0,
            "function_hash": "233113296213275098931271347403404666013"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2022-49782-50232097"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb88f9695460bec25aa30ba9072595025cf6c8af",
        "signature_version": "v1",
        "target": {
            "file": "kernel/events/core.c"
        },
        "digest": {
            "line_hashes": [
                "177897569514653406747373128195129474751",
                "137583692175670209040411527039710644853",
                "3859868023879485401831881996852491982",
                "265675070952158529571131965422276227588",
                "155805079697288049909532192419985206017",
                "71783324982870168126745524155805812962",
                "257093619086909847435283770440359436160"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-49782-9a3d1e35"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.77

Fixed

5.15.80

Type: ECOSYSTEM
Events: Introduced

6.0.7

Fixed

6.0.10