CVE-2024-57849

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description The issue arises from the handling of CPU hotplug removal during sampling in the Linux kernel. When a CPU is removed, the s390 pmu sf offline cpu() function is called, which deallocates sampling data buffers (SDBs) and clears the PMU F RESERVED bit. However, if an event is still active on the removed CPU, the kernel's performance subsystem triggers a series of function calls to stop and remove the event, including perf event exit cpu(), cpumsf pmu del(), and hw perf event update(). During this process, the sampling device driver attempts to read remaining samples from the SDBs, which may have already been freed and reassigned, leading to a use-after-free situation. This can result in invalid samples being read. The kernel now checks if the CPU is still in a reserved state (i.e., the PMU F RESERVED bit is set) before attempting to access the SDBs.

Recommendations For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling CPU hotplug removal during sampling to minimize the risk of exploitation. Restrict access to the s390 pmu sf offline cpu() function and related performance subsystem functions to prevent unauthorized use. Avoid using the PMU F RESERVED bit as a means of validating SDB access, as this may lead to use-after-free situations.