Linux Kernel up to 5.12.2 tracing trace_clock_global recursion

Summaryinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 5.12.2. This affects the function trace_clock_global of the component tracing. The manipulation leads to recursion. This vulnerability is uniquely identified as CVE-2021-46939. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 5.12.2 (Operating System). This issue affects the function trace_clock_global of the component tracing. The manipulation with an unknown input leads to a recursion vulnerability. Using CWE to declare the problem leads to CWE-674. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Impacted is availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection would cause a hung machine when performing suspend / resume testing. The following backtrace was extracted from debugging that case: Call Trace: trace_clock_global+0x91/0xa0 __rb_reserve_next+0x237/0x460 ring_buffer_lock_reserve+0x12a/0x3f0 trace_buffer_lock_reserve+0x10/0x50 __trace_graph_return+0x1f/0x80 trace_graph_return+0xb7/0xf0 ? trace_clock_global+0x91/0xa0 ftrace_return_to_handler+0x8b/0xf0 ? pv_hash+0xa0/0xa0 return_to_handler+0x15/0x30 ? ftrace_graph_caller+0xa0/0xa0 ? trace_clock_global+0x91/0xa0 ? __rb_reserve_next+0x237/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 ? trace_event_buffer_lock_reserve+0x3c/0x120 ? trace_event_buffer_reserve+0x6b/0xc0 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0 ? dpm_run_callback+0x3b/0xc0 ? pm_ops_is_empty+0x50/0x50 ? platform_get_irq_byname_optional+0x90/0x90 ? trace_device_pm_callback_start+0x82/0xd0 ? dpm_run_callback+0x49/0xc0 With the following RIP: RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200 Since the fix to the recursion detection would allow a single recursion to happen while tracing, this lead to the trace_clock_global() taking a spin lock and then trying to take it again: ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* lock taken */ (something else gets traced by function graph tracer) ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* DEAD LOCK! */ Tracing should *never* block, as it can lead to strange lockups like the above. Restructure the trace_clock_global() code to instead of simply taking a lock to update the recorded "prev_time" simply use it, as two events happening on two different CPUs that calls this at the same time, really doesn't matter which one goes first. Use a trylock to grab the lock for updating the prev_time, and if it fails, simply try again the next time. If it failed to be taken, that means something else is already updating it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761

The weakness was disclosed 02/27/2024. It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2021-46939 since 02/25/2024. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 4.4.269, 4.9.269, 4.14.233, 4.19.191, 5.4.118, 5.10.36, 5.11.20, 5.12.3 or 5.13 eliminates this vulnerability. Applying the patch 91ca6f6a91f6/859b47a43f5a/1fca00920327/d43d56dbf452/c64da3294a7d/a33614d52e97/6e2418576228/2a1bd74b8186/aafe104aa909 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 4.4.268
• 4.9.268
• 4.14.232
• 4.19.190
• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.4.117
• 5.5
• 5.6
• 5.7
• 5.8
• 5.9
• 5.10
• 5.10.0
• 5.10.1
• 5.10.2
• 5.10.3
• 5.10.4
• 5.10.5
• 5.10.6
• 5.10.7
• 5.10.8
• 5.10.9
• 5.10.10
• 5.10.11
• 5.10.12
• 5.10.13
• 5.10.14
• 5.10.15
• 5.10.16
• 5.10.17
• 5.10.18
• 5.10.19
• 5.10.20
• 5.10.21
• 5.10.22
• 5.10.23
• 5.10.24
• 5.10.25
• 5.10.26
• 5.10.27
• 5.10.28
• 5.10.29
• 5.10.30
• 5.10.31
• 5.10.32
• 5.10.33
• 5.10.34
• 5.10.35
• 5.11
• 5.11.0
• 5.11.1
• 5.11.2
• 5.11.3
• 5.11.4
• 5.11.5
• 5.11.6
• 5.11.7
• 5.11.8
• 5.11.9
• 5.11.10
• 5.11.11
• 5.11.12
• 5.11.13
• 5.11.14
• 5.11.15
• 5.11.16
• 5.11.17
• 5.11.18
• 5.11.19
• 5.12
• 5.12.0
• 5.12.1
• 5.12.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion