CVE-2024-26902 in Linux
Summary
by MITRE • 04/17/2024
In the Linux kernel, the following vulnerability has been resolved:
perf: RISCV: Fix panic on pmu overflow handler
(1 << idx) of int is not desired when setting bits in unsigned long overflowed_ctrs, use BIT() instead. This panic happens when running 'perf record -e branches' on sophgo sg2042.
[ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
[ 273.320851] Oops [#1]
[ 273.323179] Modules linked in:
[ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9
[ 273.332521] Hardware name: Sophgo Mango (DT)
[ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62
[ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e
[ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0
[ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978
[ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70
[ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000
[ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015
[ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a
[ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0
[ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210
[ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098
[ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca
[ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8
[ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d
[ 273.434512] [] riscv_pmu_ctr_get_width_mask+0x8/0x62
[ 273.441169] [] handle_percpu_devid_irq+0x98/0x1ee
[ 273.447562] [] generic_handle_domain_irq+0x28/0x36
[ 273.454151] [] riscv_intc_irq+0x36/0x4e
[ 273.459659] [] handle_riscv_irq+0x4a/0x74
[ 273.465442] [] do_irq+0x62/0x92
[ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783
[ 273.477921] ---[ end trace 0000000000000000 ]---
[ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2025
The vulnerability CVE-2024-26902 represents a critical issue within the Linux kernel's performance monitoring unit implementation specifically for RISC-V architectures. This flaw manifests as a kernel panic during pmu overflow handling operations, particularly when executing performance recording commands with branch events on Sophgo sg2042 hardware. The root cause lies in an improper bit manipulation operation where the expression (1 << idx) applied to an integer type fails to correctly set bits within an unsigned long variable named overflowed_ctrs. This incorrect approach leads to a null pointer dereference at virtual address 0000000000000098, ultimately causing system instability and potential denial of service conditions.
The technical implementation error stems from a fundamental misunderstanding of data type behavior in bit manipulation operations. When using (1 << idx) with integer types, the operation can produce unexpected results when the shift index exceeds the bit width of the integer type, leading to undefined behavior. The kernel's performance monitoring subsystem relies on precise bit setting operations to track overflow conditions across multiple performance counters. In this case, the code fails to properly handle the bit masking required for unsigned long data types, causing the overflow handler to access invalid memory addresses. The stack trace reveals execution flow through riscv_pmu_ctr_get_width_mask, pmu_sbi_ovf_handler, and interrupt handling routines, confirming the issue originates in the RISC-V specific performance monitoring unit implementation.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the reliability of performance monitoring capabilities on RISC-V based systems. When running performance recording commands with branch events, the system becomes unstable and may require complete reboot to recover. This vulnerability particularly impacts embedded systems and edge computing devices utilizing Sophgo sg2042 processors, where performance monitoring is critical for system optimization and debugging. The panic occurs during interrupt handling, indicating that this flaw can disrupt normal system operations and potentially compromise the integrity of performance data collection processes. The issue demonstrates the importance of proper bit manipulation practices in kernel code, especially when dealing with hardware-specific performance monitoring units that require precise bit-level operations for correct functionality.
Mitigation strategies for CVE-2024-26902 focus on correcting the bit manipulation implementation within the kernel's RISC-V performance monitoring unit code. The primary fix involves replacing the problematic (1 << idx) expression with the proper BIT() macro which correctly handles bit positioning within unsigned long data types. This change ensures that performance counter overflow handling operates correctly regardless of the counter index value. System administrators should update to kernel versions containing the patched implementation, typically those incorporating the fix for this specific RISC-V pmu overflow handler issue. Additionally, monitoring systems should be configured to detect and alert on performance monitoring unit failures, providing early warning of potential instability. The fix aligns with common security practices for kernel development and addresses the underlying CWE-758 weakness related to unspecified behavior in bit manipulation operations, ensuring that performance monitoring capabilities remain stable and reliable across all supported RISC-V platforms.