| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021417-CVE-2026-23159-7d2c@gregkh> Date: Sat, 14 Feb 2026 17:04:25 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-23159: perf: sched: Fix perf crash with new is_user_task() helper From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If it was non NULL, it was a user task and if not it was a kernel task. But things have changed over time, and some kernel tasks now have their own mm field. An idea was made to instead test PF_KTHREAD and two functions were used to wrap this check in case it became more complex to test if a task was a user task or not[1]. But this was rejected and the C code simply checked the PF_KTHREAD directly. It was later found that not all kernel threads set PF_KTHREAD. The io-uring helpers instead set PF_USER_WORKER and this needed to be added as well. But checking the flags is still not enough. There's a very small window when a task exits that it frees its mm field and it is set back to NULL. If perf were to trigger at this moment, the flags test would say its a user space task but when perf would read the mm field it would crash with at NULL pointer dereference. Now there are flags that can be used to test if a task is exiting, but they are set in areas that perf may still want to profile the user space task (to see where it exited). The only real test is to check both the flags and the mm field. Instead of making this modification in every location, create a new is_user_task() helper function that does all the tests needed to know if it is safe to read the user space memory or not. [1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/ The Linux kernel CVE team has assigned CVE-2026-23159 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6.116 with commit 34b5aba8511a12fb2e9bd3124835cb4087187dac and fixed in 6.6.123 with commit d84a4836dc246b7dc244e46a08ff992956b68db0 Issue introduced in 6.12.57 with commit 8d79f96e477c4b8e3fca2efb36b269d8960a2285 and fixed in 6.12.69 with commit 5aac392fcd3d981d7997f1a0766829e1afdeac2e Issue introduced in 6.18 with commit 90942f9fac05702065ff82ed0bade0d08168d4ea and fixed in 6.18.9 with commit a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c Issue introduced in 6.18 with commit 90942f9fac05702065ff82ed0bade0d08168d4ea and fixed in 6.19 with commit 76ed27608f7dd235b727ebbb12163438c2fbb617 Issue introduced in 6.17.7 with commit 5050083e1a2f3e5e29cee0205c40e5864b52601d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-23159 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/sched.h kernel/events/callchain.c kernel/events/core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0 https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617
Powered by blists - more mailing lists