Linux Kernel AMD EPYC NULL Pointer Dereference Vulnerability in PMU NMI Handler

A vulnerability in the Linux kernel's handling of performance monitoring unit (PMU) events on AMD EPYC systems can lead to a NULL pointer dereference. This issue occurs in the PMU non-maskable interrupt (NMI) handler, causing a system crash. The vulnerability arises because the event pointer for a specific CPU is not properly initialized before being accessed, leading to a crash when the NMI handler tries to read a NULL value. This problem is linked to a recent change in how PMU events are managed, which inadvertently created a race condition that can be exploited when certain events are throttled and then resumed.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by allowing a group of performance events to overflow, which triggers a throttle condition. While the events are still throttled, the x86_pmu_enable() function is called, skipping the initialization of the event pointer for the unthrottled events. When the events are resumed, the PMU NMI handler attempts to access the event pointer, which is still NULL, causing a crash.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.