Linux Kernel perf_event bugs
Many of these found by the perf_fuzzer (as noted)
Outstanding Crashes (reproducible):
Outstanding Warnings (reproducible):
Outstanding correctness Issues:
Outstanding Crashes (not easily reproducible):
Outstanding Warnings (not easily reproducible):
Outstanding (but not recently seen) bugs:
Fixed bugs:
Fixed in 3.19
Fixed in 3.18
Fixed in 3.17
Fixed in 3.16
Fixed in 3.15
Fixed in 3.14
Fixed in 3.13
- perf ftrace function tracer permission lockup
perf/ftrace: Fix paranoid level for enabling function tracer
This one took months to isolate and track down.
ftrace function tracing can spend so much time in the kernel
that the kernel gets wedged and for all intents and purposes locks up.
The ftrace people dragged their feet on this one for months.
Reported-by: Vince Weaver, Dave Jones
Fixed-by-Commit: 12ae030d54ef250706da5642fc7697cc60ad0df7 (in 3.13)
CVE-2013-2930
Found by trinity and perf_fuzzer, it is trivially easy
for a plain user to lock the kernel due to an improper
check for root permissions in the ftrace code.
- Tracepoint aliasing issue
Linux-kernel:
15 November 2013 -- [patch] perf/trace properly use u64 to hold event_id
Reported-by: Vince Weaver (noticed in fuzzer trace)
Fixed-by-Commit: 0022cedd4a7d8a87841351e2b018bb6794cf2e67 (in 3.13-rc3)
- Alpha bug found by perf_fuzzer
alpha: perf: fix out-of-bounds array access triggered from raw event
Reported-by: Will Deacon
Fixed-by-Commit: 6e22f8f2e8d81dcab4c40bc229d53388fda63dbc (in 3.13)
Fixed in 3.11
- ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event()
Found by perf_fuzzer.
Reported-by: Vince Weaver
Fixed-by-Commit: d9f966357b14e356dbd83b8f4a197a287ab4ff83
Introduced with Linux 3.2 with 8a16b34e2119
- CVE 2013-4254: ARM and ARM64 oops in validate event
ARM: 7809/1: perf: fix event validation for software group leaders
Reported-by: Vince Weaver
Fixed-by-Commit: c95eb3184ea1a3a2551df57190c81da695e2144b
Found by perf_fuzzer.
This bug is potentially a local root exploit, but as far
as I can tell there was an extremely narrow window of time
where it was easy to exploit (from 3.11-rc1 through 3.11-rc6)
Introduced with Linux 3.2 with 8a16b34e2119
- arm64: perf: fix array out of bounds access in armpmu_map_hw_event()
Reported-by: Will Deacon
Fixed-by-Commit: 868f6fea8fa63f09acbfa93256d0d2abdcabff79
- arm64: perf: fix event validation for software group leaders
Reported-by: Will Deacon
Fixed-by-Commit: ee7538a008a45050c8f706d38b600f55953169f9
-
WARNING: at kernel/events/core.c:2122
Fixed in 3.10
- perf: Fix mmap() accounting hole
Reported-and-tested-by: Vince Weaver
Fixed-by-Commit: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b
Denial of service.
Found by perf_fuzzer, it happens if you
do some complicated event setup involving mmap buffers
and then exiting.
Introduced sometime between 3.0 and 3.2?
- perf: Fix perf mmap bugs
Reported-by: Vince Weaver
Fixed-by-Commit: 26cb63ad11e04047a64309362674bcbbd6a6f246
Fixed in 3.9
- CVE-2013-2094 : Software Event u64/u32 Problem
Local root exploit.
Found by trinity, this panic is
caused by setting attr.config too high for software events,
and it wasn't caught due to a 32/64-bit check?
Introduced in commit b0a873ebb ("perf: Register PMU implementations").
Patch that fixes is:
[PATCH] perf: treat attr.config as u64 in perf_swevent_init()
vulnerable through 3.9
Fixed in 8176cced706b5e5d15887584150764894e94e02f
- offcore_response_mask
Denial of service
On Sandybrige and Ivybridge the offcore events were not properly
masked to avoid setting reserved bits.
This could potentially cause a GPF but
I have not been able to cause one with a 3.8 kernel.
Fixed in f1923820c447e986a9da0fc6bf60c1dccdf0408e
- perf,x86: fix kernel crash with PEBS/BTS after suspend/resume
Denial of service
Fixed in 1d9d8639c063caf6efc2447f5f26aa637f844ff6
The test involves suspending/resuming while perf is being used,
and there's not a good way to automate such a test.
Fixed in 3.5 (pre-dates perf_fuzzer)
- CGROUP reference counting problem
Fixed by changeset: 9c5da09d266ca9b3
Fixed in 3.2 (pre-dates perf_fuzzer)
- SLUB problem
Linux 3.1.4 and 3.1.5 hard lock or panic when under high perf_event
load if SLUB is enabled rather than SLAB. See full details in
this thread:
perf_event hard locks in 3.1.5. Still no resolution; git-bisect
was inconclusive.
Fixed in 3.1 (pre-dates perf_fuzzer)
- CVE 2011-2918: Software Event Overflow Bug
Denial of service.
An error with overflows and perf::perf_count_sw_cpu_clock (and probably
any software event) will cause your test to either become unkillable,
or else hard lock your system. Sometimes generates a
WARN_ON first. Affects Linux 2.6.32 - 3.0.0.
Linux-kernel thread where
I report this issue.
Fixed by changeset
a8b0ca17b80e92faab46ee7179ba9e99ccb61233
Also backported to some stable releases, 462fee3af72df0de7b60b96c525ffe8baf4db0f0.
Fixed in 2.6.39 (pre-dates perf_fuzzer)
- CVE-2011-4611 : perf, powerpc
Denial of service.
Fixed in 0837e3242c7
- CVE-2011-2521 : perf, x86: fix Intel fixed counters base initialization
Denial of service
Introduced by 41bf498, fixed by fc66c5210ec2
- Inherit Bug
Denial of service
With this bug you could quickly out-of-memory your system if your
program enabled the "inherit" option, counted at least two events,
and spawned threads.
Linux kernel thread where I report the issue.
Fixed by changeset
38b435b16c36b0d863efcf3f07b34a6fac9873fd
- Task Context Scheduling Bug
Denial of service
This bug is most noticable when using multiple threads.
The perfsuite "make -s check" test failure is what made me notice it.
Symptoms were hard system lockup.
Fixed by changeset
ab711fe08297de1485fff0a366e6db8828cafd6a
Fixed in 2.6.37 (pre-dates perf_fuzzer)
- CVE-2010-4169
Denial of service.
Introduced by dab5855, fixed by 63bfd7384b1
Fixed in 2.6.32 (pre-dates perf_fuzzer)
- CVE-2009-3234 Buffer overflow in the perf_copy_attr
Local root exploit.
Fixed in b3e62e350
Back to the perf_fuzzer page