Linux Kernel Out-of-Bound Write Vulnerability in Tracing Histogram Component

A vulnerability allowing out-of-bounds write has been identified in the Linux kernel's tracing histogram feature. This issue arises when a synthetic event with numerous parameters is created, exceeding the allowed limit. The vulnerability is present in the stable Linux kernel versions prior to 6.1.0. The root cause lies in the 'trace_action_create()' function, where the parameter count can reach up to 64, while the corresponding index array is limited to 16. This discrepancy leads to memory corruption, overwriting critical data and causing a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, create a synthetic event with 64 parameters and then generate a trace action for it. This can be done by writing the event definition into the 'synthetic_events' file and setting up a histogram trigger that references the synthetic event. When the event is triggered, the kernel will panic due to the out-of-bounds write.

Remediation

Users can upgrade to Linux kernel versions 6.1.0 or later, where this vulnerability has been fixed.