Linux Kernel User Task Identification Vulnerability in Perf Scheduler

A vulnerability in the Linux kernel's perf scheduler component can lead to a crash due to improper handling of user tasks. The issue arises from changes in how the kernel manages task memory, allowing some kernel tasks to have their own memory fields. This modification disrupts the previous method of identifying user tasks, which relied on checking the memory field for null values. The current approach, which tests task flags, is insufficient as it may incorrectly classify a task as a user task during a brief period of transition, leading to a null pointer dereference when the perf subsystem attempts to access user space memory. To address this, a new helper function has been introduced to accurately determine if a task is a user task, ensuring safe access to user space memory and preventing crashes.

Impact

This vulnerability can cause a null pointer dereference, leading to a crash of the perf subsystem.

Reproduction

The vulnerability can be reproduced by using the perf tool to profile a task that is in the process of exiting. During this brief window, the task's memory field is cleared, but the flags indicating the task's state may still suggest it is a user task. This mismatch can cause perf to attempt to read user space memory from a task that has already exited, resulting in a null pointer dereference and a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.