Petr Pavlu

Name of the Vulnerable Software and Affected Versions: Linux Kernel (affected versions not specified) Description: The issue concerns the Linux kernel's ring-buffer, where the function `ring buffer subbuf order set()` updates each `ring buffer per cpu` and installs new sub buffers that match the requested page order. This operation may be invoked concurrently with readers that rely on some of the modified data, such as the head bit (`RB PAGE HEAD`), or the `ring buffer per cpu.pages` and `reader page` pointers. However, no exclusive access is acquired by `ring buffer subbuf order set()`. Modifying the mentioned data while a reader also operates on them can then result in incorrect memory access and various crashes. The problem is fixed by taking the `reader lock` when updating a specific `ring buffer per cpu` in `ring buffer subbuf order set()`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a race condition between readers and resize checks in the ring buffer of the Linux kernel. The reader code in `rb get reader page()` swaps a new reader page into the ring buffer, which can lead to a temporary inconsistency in the underlying doubly-linked list. The resize operation in `ring buffer resize()` can be invoked in parallel and calls `rb check pages()`, which can detect this inconsistency and stop further tracing. This can cause a denial of service. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The `rb get reader page()` function swaps a new reader page into the ring buffer by doing cmpxchg on `old->list.prev->next` to point it to the new page. - The `ring buffer resize()` function can be invoked in parallel and calls `rb check pages()`, which can detect the inconsistency and stop further tracing. - The `rb check pages()` function checks the consistency of the ring buffer pages. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider disabling the `rb get reader page()` function until a patch is available. Restrict access to the vulnerable `ring buffer resize()` function to minimize the risk of exploitation. Avoid using the `rb check pages()` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0 **Description** The issue is caused by CPU reordering of writes issued from tracing map insert(). This can lead to incorrect determination of key matches on another CPU, resulting in unexpected warnings about duplicate histogram entries. The problem can be reproduced by running specific commands in parallel on a multi-processor AArch64 machine. **Recommendations** To resolve the issue, update the Linux kernel to version 6.7.0 or later. If updating is not possible, consider disabling the tracing feature or restricting access to the vulnerable module until a patch is available.