Linux Kernel VMA Split Vulnerability in Perf Buffer Mappings

A vulnerability in the Linux kernel's perf subsystem allows for virtual memory area (VMA) splits of buffer mappings, which can lead to reference count leaks. The issue arises because the perf mmap implementation does not prevent related mappings from being split, causing subsequent perf_mmap_close() calls to bypass essential offset and size checks. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes reference count leaks in the perf subsystem, which can lead to memory management issues.

Reproduction

The vulnerability can be reproduced by creating a perf event that uses both a ring buffer and an auxiliary buffer. After the initial mmap() call, which correctly establishes the mapping, the VMA can be split using munmap(2) or mremap(2). This split disrupts the expected offset and size alignment, causing a mismatch that the perf subsystem does not properly handle, leading to a reference count leak.

Remediation

The vulnerability has been addressed by modifying the perf mmap implementation to include a vm_operations_struct::may_split() callback that unconditionally prevents VMA splits. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.