Hello. We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.8. Attached to the email were a PoC file of the issue.
Stack dump: ------------[ cut here ]------------ unexpected event refcount: 2; ptr=ffff888019589820 WARNING: CPU: 0 PID: 13593 at kernel/events/core.c:5254 free_event+0xa3/0xc0 kernel/events/core.c:5254 Modules linked in: CPU: 0 PID: 13593 Comm: syz.3.346 Not tainted 6.8.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:free_event+0xa3/0xc0 kernel/events/core.c:5254 Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 25 48 8b b5 38 02 00 00 48 89 ea 48 c7 c7 00 03 d7 8a e8 3e a9 9a ff 90 <0f> 0b 90 90 5d 41 5c 41 5d e9 bf ed d5 ff 4c 89 ef e8 77 b1 2d 00 RSP: 0018:ffffc90001b379c8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff814f699a RDX: ffff88801e7b4980 RSI: ffffffff814f69a7 RDI: 0000000000000001 RBP: ffff888019589820 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000002 R13: ffff888019589a58 R14: ffff888019589b00 R15: ffff888019589820 FS: 0000000000000000(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f507464c360 CR3: 0000000053fa4000 CR4: 0000000000750ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> perf_event_release_kernel+0x5d4/0x8f0 kernel/events/core.c:5421 perf_release+0x37/0x50 kernel/events/core.c:5442 __fput+0x282/0xbc0 fs/file_table.c:376 task_work_run+0x16a/0x260 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xaf0/0x2a40 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 get_signal+0x2440/0x2630 kernel/signal.c:2893 arch_do_signal_or_restart+0x81/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:105 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] irqentry_exit_to_user_mode+0x13c/0x280 kernel/entry/common.c:225 exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1557 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7fd5ec9958d5 Code: Unable to access opcode bytes at 0x7fd5ec9958ab. RSP: 002b:0000000000000050 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007fd5ecb33f60 RCX: 00007fd5ec9958cd RDX: 0000000000000000 RSI: 0000000000000050 RDI: 0000000000000280 RBP: 00007fd5eca1bb06 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd5ecb33f60 R15: 00007fd5ed77a000 </TASK> Thank you for taking the time to read this email and we look forward to working with you further.
poc.c
Description: Binary data
