CVE-2024-26703 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

tracing/timerlat: Move hrtimer_init to timerlat_fd open()

Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading.

Here's an example:

# echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer

# cat ./timerlat_load.py # !/usr/bin/env python3

timerlat_fd = open("/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd", 'r') timerlat_fd.close(); EOF

# ./taskset -c 0 ./timerlat_load.py


BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimer_active+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? srso_alias_return_thunk+0x5/0x7f ? avc_has_extended_perms+0x237/0x520 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? hrtimer_active+0xd/0x50 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x48/0xe0 __fput+0xf5/0x290 __x64_sys_close+0x3d/0x80 do_syscall_64+0x60/0x90 ? srso_alias_return_thunk+0x5/0x7f ? __x64_sys_ioctl+0x72/0xd0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 ? srso_alias_return_thunk+0x5/0x7f ? exit_to_user_mode_prepare+0x142/0x1f0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 CR2: 0000000000000010 ---[ end trace 0000000000000000 ]---

Move hrtimer_init to timerlat_fd open() to avoid this problem.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability described in CVE-2024-26703 resides within the Linux kernel's tracing subsystem, specifically in the timerlat functionality used for measuring timer latency. This issue manifests as a kernel NULL pointer dereference occurring when a user-space application opens and closes the timerlat_fd file descriptor without performing any read operations. The root cause lies in the improper initialization and lifecycle management of high-resolution timers within the timerlat tracing mechanism, which is governed by the kernel's debugfs interface for tracing capabilities.

The technical flaw stems from the timerlat subsystem initializing the hrtimer structure only during the first read operation of the timerlat_fd file descriptor. When an application opens and immediately closes the file descriptor without reading, the hrtimer remains uninitialized. Subsequently, when the file descriptor is closed, the timerlat_fd_release function attempts to cancel the timer using hrtimer_cancel, which leads to a NULL pointer dereference at the address 0x0000000000000010. This error occurs because hrtimer_cancel tries to access fields within a timer structure that has not been properly initialized, resulting in a kernel oops and potential system instability.

The operational impact of this vulnerability is significant as it can lead to system crashes and denial of service conditions when applications interact with the tracing subsystem in the described manner. Attackers could potentially exploit this weakness to cause kernel panics or system reboots by repeatedly opening and closing the timerlat_fd file descriptor without read operations, particularly in environments where automated monitoring tools or scripts might inadvertently trigger this condition. The vulnerability affects systems running kernel versions where the tracing subsystem is enabled and the timerlat functionality is accessible through debugfs.

The fix for this vulnerability involves moving the hrtimer_init function call from the first read operation to the timerlat_fd open operation, ensuring that the timer structure is properly initialized when the file descriptor is opened. This approach aligns with standard kernel development practices for resource management and prevents the race condition that leads to the NULL pointer dereference. This remediation follows the principle of initializing resources at the point of acquisition rather than at the point of first use, which is consistent with security best practices outlined in CWE-459 and aligns with ATT&CK techniques related to kernel exploitation and privilege escalation. The change ensures that timerlat functionality behaves predictably regardless of how applications interact with the file descriptor, thereby preventing the kernel from attempting to operate on uninitialized timer structures during cleanup operations.

Sources

Do you know our Splunk app?

Download it now for free!