CVE-2024-38568

drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group

Description

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.08%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/3669baf308308385a2ab391324abdde5682af5aa patch
https://git.kernel.org/stable/c/be1fa711e59c874d049f592aef1d4685bdd22bdf patch
https://git.kernel.org/stable/c/b5120d322763c15c978bc47beb3b6dff45624304 patch
https://git.kernel.org/stable/c/aa2d3d678895c8eedd003f1473f87d3f06fe6ec7 patch
https://git.kernel.org/stable/c/81bdd60a3d1d3b05e6cc6674845afb1694dd3a0e patch

Frequently Asked Questions

What is the severity of CVE-2024-38568?
CVE-2024-38568 has been scored as a high severity vulnerability.
How to fix CVE-2024-38568?
To fix CVE-2024-38568, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-38568 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-38568 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-38568?
CVE-2024-38568 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.