Linux · Linux Kernel · CVE-2024-43870
**Name of the Vulnerable Software and Affected Versions**
Linux kernel versions prior to 6.6.50
**Description**
The issue arises when a task is scheduled out and pending sigtrap deliveries are deferred to the target task upon resume to userspace via task work. Failures while adding an event's callback to the task work engine are ignored, leading to a small window where pending sigtrap can be queued and ignored, causing an event refcount addition leak. This occurs in the following scenario: when a task exits, the last call for events exit happens after task work is closed, resulting in the event never being released.
Technical details about exploitation include:
- The `task work add()` function's error handling is inadequate, leading to the leak.
- The `event->pending sigtrap` variable is used to track pending sigtrap deliveries.
- The `irq work queue()` function is used to queue the pending IRQ.
- The `perf event overflow()` function is involved in the scenario where the leak occurs.
- The `event sched out()` function is called when the task is scheduled out.
- The `perf pending irq()` function returns early when `event->oncpu` is -1.
**Recommendations**
To resolve the issue, update the Linux kernel to version 6.6.50 or later, which includes the fix for the event leak upon exit. As a temporary workaround, consider disabling the `perf event overflow()` function until a patch is available. Restrict access to the `task work add()` function to minimize the risk of exploitation. Avoid using the `event->pending sigtrap` variable in the affected API endpoint until the issue is resolved.