CVE-2024-26703
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26703
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26703.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-26703
- Downstream
- Related
- Published
- 2024-04-03T14:55:01Z
- Modified
- 2025-10-14T12:52:13.992648Z
- Summary
- tracing/timerlat: Move hrtimer_init to timerlat_fd open()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Move hrtimerinit to timerlatfd open()
Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading.
Here's an example:
# echo NOOSNOISEWORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer
# cat <<EOF > ./timerlat_load.py # !/usr/bin/env python3
timerlatfd = open("/sys/kernel/tracing/osnoise/percpu/cpu0/timerlatfd", 'r') timerlatfd.close(); EOF
# ./taskset -c 0 ./timerlat_load.py <BOOM>
BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x8664 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimeractive+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? _die+0x23/0x70 ? pagefaultoops+0x171/0x4e0 ? srsoaliasreturnthunk+0x5/0x7f ? avchasextendedperms+0x237/0x520 ? excpagefault+0x7f/0x180 ? asmexcpagefault+0x26/0x30 ? hrtimeractive+0xd/0x50 hrtimercancel+0x15/0x40 timerlatfdrelease+0x48/0xe0 _fput+0xf5/0x290 _x64sysclose+0x3d/0x80 dosyscall64+0x60/0x90 ? srsoaliasreturnthunk+0x5/0x7f ? _x64sysioctl+0x72/0xd0 ? srsoaliasreturnthunk+0x5/0x7f ? syscallexittousermode+0x2b/0x40 ? srsoaliasreturnthunk+0x5/0x7f ? dosyscall64+0x6c/0x90 ? srsoaliasreturnthunk+0x5/0x7f ? exittousermodeprepare+0x142/0x1f0 ? srsoaliasreturnthunk+0x5/0x7f ? syscallexittousermode+0x2b/0x40 ? srsoaliasreturnthunk+0x5/0x7f ? dosyscall64+0x6c/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 </TASK> CR2: 0000000000000010 ---[ end trace 0000000000000000 ]---
Move hrtimerinit to timerlatfd open() to avoid this problem.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede88ed227f639ebcb31ed4e5b88756b47d904584bFixed5f703935fdb559642d85b2088442ee55a557ae6d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede88ed227f639ebcb31ed4e5b88756b47d904584bFixed2354d29986ebd138f89c2b73fecf8237e0a4ad6b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede88ed227f639ebcb31ed4e5b88756b47d904584bFixed1389358bb008e7625942846e9f03554319b7fecc
Affected versions
v6.*
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2024-26703-4b6df04f",
"signature_type": "Function",
"digest": {
"function_hash": "320661089185118042009539061283624717056",
"length": 755.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2354d29986ebd138f89c2b73fecf8237e0a4ad6b",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_open"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-77eede46",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"154899724889040363025989366486746678316",
"71070599513189095242551130217387030482",
"4182620746184223798259103977877171928",
"169931844600463242090763194881926471963",
"224693265756841786212103563727090711528",
"108514221505791938552902427677077009529",
"36217354315526628158286926817647178400",
"50346672800690584920249320362545372447"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2354d29986ebd138f89c2b73fecf8237e0a4ad6b",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-80d1ecdb",
"signature_type": "Function",
"digest": {
"function_hash": "309431298264636164322706033237325358220",
"length": 1656.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2354d29986ebd138f89c2b73fecf8237e0a4ad6b",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_read"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-868d2b56",
"signature_type": "Function",
"digest": {
"function_hash": "320661089185118042009539061283624717056",
"length": 755.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1389358bb008e7625942846e9f03554319b7fecc",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_open"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-a620f59d",
"signature_type": "Function",
"digest": {
"function_hash": "309431298264636164322706033237325358220",
"length": 1656.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f703935fdb559642d85b2088442ee55a557ae6d",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_read"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-a69098dd",
"signature_type": "Function",
"digest": {
"function_hash": "309431298264636164322706033237325358220",
"length": 1656.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1389358bb008e7625942846e9f03554319b7fecc",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_read"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-be9525fb",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"154899724889040363025989366486746678316",
"71070599513189095242551130217387030482",
"4182620746184223798259103977877171928",
"169931844600463242090763194881926471963",
"224693265756841786212103563727090711528",
"108514221505791938552902427677077009529",
"36217354315526628158286926817647178400",
"50346672800690584920249320362545372447"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f703935fdb559642d85b2088442ee55a557ae6d",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-cfd45784",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"154899724889040363025989366486746678316",
"71070599513189095242551130217387030482",
"4182620746184223798259103977877171928",
"169931844600463242090763194881926471963",
"224693265756841786212103563727090711528",
"108514221505791938552902427677077009529",
"36217354315526628158286926817647178400",
"50346672800690584920249320362545372447"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1389358bb008e7625942846e9f03554319b7fecc",
"target": {
"file": "kernel/trace/trace_osnoise.c"
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2024-26703-dc717aba",
"signature_type": "Function",
"digest": {
"function_hash": "320661089185118042009539061283624717056",
"length": 755.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f703935fdb559642d85b2088442ee55a557ae6d",
"target": {
"file": "kernel/trace/trace_osnoise.c",
"function": "timerlat_fd_open"
},
"deprecated": false,
"signature_version": "v1"
}
]
}