CVE-2024-26703

In the Linux kernel, the following vulnerability has been resolved:

tracing/timerlat: Move hrtimerinit to timerlatfd open()

Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading.

Here's an example:

# echo NOOSNOISEWORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer

# cat <<EOF > ./timerlat_load.py # !/usr/bin/env python3

timerlatfd = open("/sys/kernel/tracing/osnoise/percpu/cpu0/timerlatfd", 'r') timerlatfd.close(); EOF

# ./taskset -c 0 ./timerlat_load.py <BOOM>

BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x8664 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimeractive+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? _die+0x23/0x70 ? pagefaultoops+0x171/0x4e0 ? srsoaliasreturnthunk+0x5/0x7f ? avchasextendedperms+0x237/0x520 ? excpagefault+0x7f/0x180 ? asmexcpagefault+0x26/0x30 ? hrtimeractive+0xd/0x50 hrtimercancel+0x15/0x40 timerlatfdrelease+0x48/0xe0 _fput+0xf5/0x290 _x64sysclose+0x3d/0x80 dosyscall64+0x60/0x90 ? srsoaliasreturnthunk+0x5/0x7f ? _x64sysioctl+0x72/0xd0 ? srsoaliasreturnthunk+0x5/0x7f ? syscallexittousermode+0x2b/0x40 ? srsoaliasreturnthunk+0x5/0x7f ? dosyscall64+0x6c/0x90 ? srsoaliasreturnthunk+0x5/0x7f ? exittousermodeprepare+0x142/0x1f0 ? srsoaliasreturnthunk+0x5/0x7f ? syscallexittousermode+0x2b/0x40 ? srsoaliasreturnthunk+0x5/0x7f ? dosyscall64+0x6c/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 </TASK> CR2: 0000000000000010 ---[ end trace 0000000000000000 ]---

Move hrtimerinit to timerlatfd open() to avoid this problem.