Junhao He

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an out-of-bound access in the `hns3 pmu validate event group()` function in the Linux kernel. This occurs when the `perf` tool is used to create event groups, and the driver does not check if the array index is out of bounds when writing data to the `event group` array. If the number of events in an event group exceeds `HNS3 PMU MAX HW EVENTS`, a memory write overflow of the `event group` array can happen. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The `perf stat` command with the `-e` option can be used to create event groups, for example, `perf stat -e '{pmu/event1/, ... ,pmu/event9/}'`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is caused by an out-of-bounds access in the `hisi pcie pmu validate event group()` function. This occurs when the number of events in an event group exceeds `HISI PCIE MAX COUNTERS`, leading to a memory write overflow of the `event group` array. The `perf` tool allows users to create event groups through the command `perf stat -e '{pmu/event1/, ... ,pmu/event9/}'`. To exploit this, an attacker would need to create an event group with more than `HISI PCIE MAX COUNTERS` events. There are 9 different events in an event group. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the Linux kernel's hisi component. When registering the uncore pmu fails, the pmu context may not be allocated, leading to a potential use-after-free situation. This can occur when the `cuhp state remove instance()` function is called, which can migrate the pmu context. The error handling in this case can lead to notifiers executing after the PMU device has failed to register. The vulnerability can be exploited to elevate privileges in the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.