CVE-2024-26796 in Linuxinfo

Summary

by MITRE • 04/04/2024

In the Linux kernel, the following vulnerability has been resolved:

drivers: perf: ctr_get_width function for legacy is not defined

With parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n linux kernel crashes when you try perf record:

$ perf record ls [ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 46.750199] Oops [#1]
[ 46.750342] Modules linked in:
[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2
[ 46.750906] Hardware name: riscv-virtio,qemu (DT)
[ 46.751184] epc : 0x0
[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e
[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0
[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0
[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930
[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000
[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004
[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2
[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000
[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078
[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001
[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff
[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30
[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c
[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.
[ 46.754939] ---[ end trace 0000000000000000 ]---
[ 46.755131] note: perf-exec[107] exited with irqs disabled
[ 46.755546] note: perf-exec[107] exited with preempt_count 4

This happens because in the legacy case the ctr_get_width function was not defined, but it is used in arch_perf_update_userpage.

Also remove extra check in riscv_pmu_ctr_get_width_mask

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/04/2025

The vulnerability identified as CVE-2024-26796 represents a critical null pointer dereference in the Linux kernel's performance monitoring unit implementation for RISC-V architectures. This flaw specifically manifests when the kernel is configured with CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n parameters, creating a scenario where the perf tool crashes the entire system during normal operation. The issue stems from the absence of a required function definition for the ctr_get_width function within the legacy performance monitoring unit code path. When users attempt to execute performance recording commands such as "perf record ls", the kernel encounters a NULL pointer dereference at virtual address zero, resulting in an immediate system crash and oops message. This vulnerability directly impacts the kernel's ability to handle performance monitoring operations on RISC-V systems configured for legacy PMU support, effectively creating a denial of service condition that can compromise system stability and availability.

The technical root cause of this vulnerability lies in the incomplete implementation of the RISC-V performance monitoring unit driver where the ctr_get_width function remains undefined for legacy configurations. The crash occurs during the arch_perf_update_userpage function execution when it attempts to call the missing ctr_get_width function, leading to the null pointer dereference at address zero. This type of vulnerability maps directly to CWE-476, which describes NULL pointer dereference conditions, and represents a classic case of missing function implementation in conditional compilation scenarios. The kernel's performance subsystem fails to properly initialize or provide the necessary function pointer for legacy RISC-V PMU implementations, causing the system to crash when attempting to access undefined functionality. The error trace shows the execution flow leading to the crash, with the epc register pointing to address zero and the ra register indicating the function where the fault occurred, demonstrating the system's inability to handle the missing function call gracefully.

The operational impact of this vulnerability extends beyond simple system crashes to potentially affect security monitoring and system integrity on RISC-V platforms. When performance monitoring tools fail due to this kernel bug, administrators lose visibility into system performance metrics, which can mask other security-related issues or performance degradation. The vulnerability creates a persistent denial of service condition that requires kernel recompilation or configuration changes to resolve, making it particularly problematic in production environments where system stability is paramount. Attackers could potentially exploit this vulnerability to cause system instability or perform denial of service attacks against RISC-V based systems, especially in environments where performance monitoring is actively used. The vulnerability affects the ATT&CK technique T1490, which involves exploiting system resource consumption to cause denial of service, as the system crashes when attempting legitimate performance monitoring operations. Additionally, the vulnerability impacts T1562.001, which involves disabling or modifying system services, as the kernel's performance monitoring subsystem becomes unreliable and potentially unusable.

Mitigation strategies for CVE-2024-26796 require immediate kernel updates from vendors who have addressed this issue in their patched versions. System administrators should ensure their RISC-V systems are running kernel versions that include the fix for this vulnerability, which typically involves properly defining the ctr_get_width function for legacy PMU configurations. The recommended approach includes updating to kernel versions that contain the specific patch addressing the missing function implementation. Alternative configurations can be employed by setting CONFIG_RISCV_PMU_LEGACY=n to avoid the problematic code path entirely, though this may limit functionality for systems that specifically require legacy PMU support. Organizations should also implement monitoring solutions that can detect system crashes or performance degradation that might indicate this vulnerability is active, as the system may appear to crash without clear indication of the underlying performance monitoring subsystem failure. Security teams should consider temporarily disabling performance monitoring capabilities on affected systems until proper patches are deployed, and all affected systems should be audited for potential compromise or instability related to performance monitoring operations. The fix typically involves properly implementing the missing ctr_get_width function within the legacy PMU code path and removing unnecessary checks that may have contributed to the function resolution issues.

Reservation

02/19/2024

Disclosure

04/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00224

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!