perf_event kernel panics and crashes
This page has some info on some kernel bugs related to the
perf_event subsystem that can cause userspace programs (such
as those using PAPI) to crash the system.
Sample code that shows some of these issues can be found in
the perf_event testsuite.
Yet to Be Fixed
Fixed in 3.13
- perf ftrace function tracer permission lockup
Fixed by 12ae030d54ef250706da5642fc7697cc60ad0df7
CVE-2013-2930
Found by trinity and perf_fuzzer, it is trivially easy
for a plain user to lock the kernel due to an improper
check for root permissions in the ftrace code.
- Alpha bug found by perf_fuzzer
Fixed in: 6e22f8f2e8d81dca
Fixed in 3.11
- ARM and ARM64 oops due to over-running config
Fixed by d9f966357b14e356
Introduced with Linux 3.2 with 8a16b34e2119
- CVE 2013-4254: ARM and ARM64 oops in validate event
This bug is potentially a local root exploit, but as far
as I can tell there was an extremely narrow window of time
where it was easy to exploit (from 3.11-rc1 through 3.11-rc6)
Fixed by c95eb3184ea1a3a25
Introduced with Linux 3.2 with 8a16b34e2119
Fixed in 3.10
- mmap_close bug.
Denial of service.
Found by perf_fuzzer, it happens if you
do some complicated event setup involving mmap buffers
and then exiting.
Introduced sometime between 3.0 and 3.2?
Fixed in 3.10, commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b
Fixed in 3.9
- CVE-2013-2094 : Software Event u64/u32 Problem
Local root exploit.
Found by trinity, this panic is
caused by setting attr.config too high for software events,
and it wasn't caught due to a 32/64-bit check?
Introduced in commit b0a873ebb ("perf: Register PMU implementations").
Patch that fixes is:
[PATCH] perf: treat attr.config as u64 in perf_swevent_init()
vulnerable through 3.9
Fixed in 8176cced706b5e5d15887584150764894e94e02f
- offcore_response_mask
Denial of service
On Sandybrige and Ivybridge the offcore events were not properly
masked to avoid setting reserved bits.
This could potentially cause a GPF but
I have not been able to cause one with a 3.8 kernel.
Fixed in f1923820c447e986a9da0fc6bf60c1dccdf0408e
- perf,x86: fix kernel crash with PEBS/BTS after suspend/resume
Denial of service
Fixed in 1d9d8639c063caf6efc2447f5f26aa637f844ff6
The test involves suspending/resuming while perf is being used,
and there's not a good way to automate such a test.
Fixed in 3.5
- CGROUP reference counting problem
Fixed by changeset: 9c5da09d266ca9b3
Fixed in 3.2
- SLUB problem
Linux 3.1.4 and 3.1.5 hard lock or panic when under high perf_event
load if SLUB is enabled rather than SLAB. See full details in
this thread:
perf_event hard locks in 3.1.5. Still no resolution; git-bisect
was inconclusive.
Fixed in 3.1
- CVE 2011-2918: Software Event Overflow Bug
Denial of service.
An error with overflows and perf::perf_count_sw_cpu_clock (and probably
any software event) will cause your test to either become unkillable,
or else hard lock your system. Sometimes generates a
WARN_ON first. Affects Linux 2.6.32 - 3.0.0.
Linux-kernel thread where
I report this issue.
Fixed by changeset
a8b0ca17b80e92faab46ee7179ba9e99ccb61233
and will be in 3.1.
Also backported to some stable releases, 462fee3af72df0de7b60b96c525ffe8baf4db0f0.
Fixed in 2.6.39
- CVE-2011-4611 : perf, powerpc
Denial of service.
Fixed in 0837e3242c7
- CVE-2011-2521 : perf, x86: fix Intel fixed counters base initialization
Denial of service.
Introduced by 41bf498, fixed by fc66c5210ec2
- Inherit Bug
Denial of service
With this bug you could quickly out-of-memory your system if your
program enabled the "inherit" option, counted at least two events,
and spawned threads.
Linux kernel thread where I report the issue.
Fixed by changeset
38b435b16c36b0d863efcf3f07b34a6fac9873fd
and will be in 2.6.39.
Also in stable releases (2.6.38.2, etc.)
- Task Context Scheduling Bug
Denial of service
This bug is most noticable when using multiple threads.
The perfsuite "make -s check" test failure is what made me notice it.
Symptoms were hard system lockup.
Fixed by changeset
ab711fe08297de1485fff0a366e6db8828cafd6a and will be in 2.6.39.
Also in stable releases (2.6.38.4, etc.)
Fixed in 2.6.37
- CVE-2010-4169
Denial of service.
Introduced by dab5855, fixed by 63bfd7384b1
Fixed in 2.6.32
- CVE-2009-3234 Buffer overflow in the perf_copy_attr
Local root exploit.
Fixed in b3e62e350
Back to the unofficial perf_event homepage