1. Home
  2. Vulnerabilities
  3. CVE-2022-49607
4.7
MEDIUM CVSS 3.1
CVE-2022-49607
"Linux Perf Core Data Race Vulnerability"
Description

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest = true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress.

INFO

Published Date :

Feb. 26, 2025, 7:01 a.m.

Last Modified :

March 13, 2025, 9:55 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2022-49607 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
Solution
Update the Linux kernel to fix a data race in perf event handling.
  • Update the Linux kernel to the latest version.
  • Apply the provided patch to the kernel source.
  • Recompile and install the kernel.
  • Reboot the system.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2022-49607.

URL Resource
https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c Patch
https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0 Patch
https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937 Patch
https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf Patch
https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c Patch
https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c Patch
https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074 Patch
https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998 Patch
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2022-49607 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2022-49607 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2022-49607 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2022-49607 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 13, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-362
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.9.8 from (excluding) 4.9.325 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 from (excluding) 4.14.290 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.4.52 from (excluding) 3.5 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 from (excluding) 5.15.58 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 from (excluding) 5.4.208 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 from (excluding) 5.18.15 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.2.49 from (excluding) 3.3 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 from (excluding) 5.10.134 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 from (excluding) 4.19.254
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998 Types: Patch
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 26, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest = true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress.
    Added Reference https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c
    Added Reference https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0
    Added Reference https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937
    Added Reference https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf
    Added Reference https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
    Added Reference https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c
    Added Reference https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074
    Added Reference https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 4.7
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact