CVE-2025-37878

{"id": "CVE-2025-37878", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-05-09T07:16:09.020", "references": [{"url": "https://git.kernel.org/stable/c/0ba3a4ab76fd3367b9cb680cad70182c896c795c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1fe9b92eede32574dbe05b5bdb6ad666b350bed0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90dc6c1e3b200812da8d0aa030e1b7fda8226d0e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb56cd11feabf99e08bc18960700a53322ffcea7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-617"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix WARN_ON(!ctx) in __free_event() for partial init\n\nMove the get_ctx(child_ctx) call and the child_event->ctx assignment to\noccur immediately after the child event is allocated. Ensure that\nchild_event->ctx is non-NULL before any subsequent error path within\ninherit_event calls free_event(), satisfying the assumptions of the\ncleanup code.\n\nDetails:\n\nThere's no clear Fixes tag, because this bug is a side-effect of\nmultiple interacting commits over time (up to 15 years old), not\na single regression.\n\nThe code initially incremented refcount then assigned context\nimmediately after the child_event was created. Later, an early\nvalidity check for child_event was added before the\nrefcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was\nadded, assuming event->ctx is valid if the pmu_ctx is valid.\nThe problem is that the WARN_ON_ONCE() could trigger after the initial\ncheck passed but before child_event->ctx was assigned, violating its\nprecondition. The solution is to assign child_event->ctx right after\nits initial validation. This ensures the context exists for any\nsubsequent checks or cleanup routines, resolving the WARN_ON_ONCE().\n\nTo resolve it, defer the refcount update and child_event->ctx assignment\ndirectly after child_event->pmu_ctx is set but before checking if the\nparent event is orphaned. The cleanup routine depends on\nevent->pmu_ctx being non-NULL before it verifies event->ctx is\nnon-NULL. This also maintains the author's original intent of passing\nin child_ctx to find_get_pmu_context before its refcount/assignment.\n\n[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/core: Arregla WARN_ON(!ctx) en __free_event() para init parcial Mueve la llamada get_ctx(child_ctx) y la asignaci\u00f3n child_event->ctx para que ocurran inmediatamente despu\u00e9s de que se asigne el evento secundario. Aseg\u00farate de que child_event->ctx no sea NULL antes de cualquier ruta de error posterior dentro de las llamadas heritage_event a free_event(), satisfaciendo las suposiciones del c\u00f3digo de limpieza. Detalles: No hay una etiqueta Fixes clara, porque este error es un efecto secundario de m\u00faltiples confirmaciones interactivas a lo largo del tiempo (hasta 15 a\u00f1os de antig\u00fcedad), no una sola regresi\u00f3n. El c\u00f3digo inicialmente increment\u00f3 refcount y luego asign\u00f3 contexto inmediatamente despu\u00e9s de que se creara child_event. M\u00e1s tarde, se agreg\u00f3 una comprobaci\u00f3n de validez temprana para child_event antes de refcount/assignment. Incluso m\u00e1s tarde, se agreg\u00f3 una comprobaci\u00f3n de limpieza WARN_ON_ONCE(), asumiendo que event->ctx es v\u00e1lido si pmu_ctx es v\u00e1lido. El problema radica en que WARN_ON_ONCE() podr\u00eda activarse despu\u00e9s de que se supere la comprobaci\u00f3n inicial, pero antes de que se asignara child_event->ctx, incumpliendo su precondici\u00f3n. La soluci\u00f3n es asignar child_event->ctx justo despu\u00e9s de su validaci\u00f3n inicial. Esto garantiza la existencia del contexto para cualquier comprobaci\u00f3n o rutina de limpieza posterior, resolviendo WARN_ON_ONCE(). Para solucionarlo, posponga la actualizaci\u00f3n del recuento de referencias y la asignaci\u00f3n de child_event->ctx justo despu\u00e9s de que se configure child_event->pmu_ctx, pero antes de comprobar si el evento principal est\u00e1 hu\u00e9rfano. La rutina de limpieza depende de que event->pmu_ctx no sea NULL antes de verificar que event->ctx no sea NULL. Esto tambi\u00e9n mantiene la intenci\u00f3n original del autor de pasar child_ctx a find_get_pmu_context antes de su recuento de referencias/asignaci\u00f3n. [mingo: Registro de cambios ampliado de otro correo electr\u00f3nico de Gabriel Shahrouzi]."}], "lastModified": "2025-11-12T19:53:16.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D51CA5E-345A-4098-B85D-3F2BED7BF3A0", "versionEndExcluding": "6.6.89"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22F52099-F422-4D19-8283-45F9F9BF4392", "versionEndExcluding": "6.12.26", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B25CA7E-4CD0-46DB-B4EF-13A3516071FB", "versionEndExcluding": "6.14.5", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}