CVE-2024-38569 in Linuxinfo

Summary

by MITRE • 06/19/2024

In the Linux kernel, the following vulnerability has been resolved:

drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group

The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of
bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs.

Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds.

There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/04/2025

The vulnerability CVE-2024-38569 represents a critical out-of-bounds memory access flaw within the Linux kernel's hisi_pcie driver component that specifically affects the performance monitoring unit implementation. This issue manifests when users utilize the perf tool to create event groups containing multiple performance monitoring events, creating a scenario where the driver fails to validate array index boundaries during data writing operations. The vulnerability occurs in the context of hardware performance counters management where the driver processes event groups through the standard perf command interface, specifically when executing commands that include multiple events within curly braces. The flaw stems from inadequate input validation mechanisms that do not properly verify whether the number of events in a group exceeds the predefined maximum counter limit, leading to potential memory corruption and system instability.

The technical implementation of this vulnerability involves the hisi_pcie driver's handling of performance event groups where the event_group array has a fixed size limitation defined by HISI_PCIE_MAX_COUNTERS. When users construct event groups containing more than the allowed number of events, typically nine as referenced in the vulnerability description, the driver attempts to write data beyond the allocated array boundaries. This memory overflow condition creates an exploitable condition that can result in arbitrary code execution or system crashes, as the driver writes beyond the intended memory allocation for event group storage. The flaw directly relates to CWE-129, which addresses improper validation of array indices, and represents a classic buffer overflow vulnerability that occurs when the system fails to enforce bounds checking on array access operations. The specific nature of the vulnerability allows for a direct memory corruption attack vector that can be leveraged by malicious actors to compromise system integrity.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system compromise within environments utilizing Huawei's PCIe hardware platforms. Attackers can exploit this condition by crafting specific perf command sequences that exceed the maximum counter limits, thereby triggering the out-of-bounds memory access that can be manipulated to execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernels that include the hisi_pcie driver, particularly those using Huawei's server platforms that rely on PCIe performance monitoring capabilities. The attack surface is significant as it involves legitimate system administration tools, making detection more challenging since the exploitation occurs through normal operational commands rather than malicious inputs. This vulnerability directly maps to ATT&CK technique T1059.001 for command and scripting interpreter, where adversaries may leverage legitimate performance monitoring tools to execute malicious code, and T1068 for exploit for privilege escalation through kernel-level memory corruption.

The mitigation strategy for CVE-2024-38569 involves implementing proper bounds checking mechanisms within the hisi_pcie driver's event group processing logic, specifically adding validation to ensure that the number of events in a group does not exceed the HISI_PCIE_MAX_COUNTERS limit. The fix requires modifying the driver code to perform array index validation before any write operations to the event_group array, returning immediately with an error code when the bounds are exceeded rather than allowing the overflow condition to occur. System administrators should update their kernel versions to include the patched implementation, which typically involves applying the specific patch that adds the necessary bounds checking logic. Additionally, monitoring for abnormal perf command usage patterns and implementing strict controls on performance monitoring tool access can help detect potential exploitation attempts. The solution aligns with security best practices for defensive programming and follows the principle of least privilege by ensuring that all array access operations are properly validated before execution. Organizations should also consider implementing kernel lockdown features and restricting access to performance monitoring capabilities to authorized personnel only to minimize the attack surface.

Reservation

06/18/2024

Disclosure

06/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00234

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!