CVE-2022-48922

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-48922
In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601][ T0] ra : restore_all+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f Patch
https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77 Patch
https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3 Patch
https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*
History

12 Sep 2024, 12:52

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
CWE CWE-476
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
References () https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f - () https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f - Patch
References () https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77 - () https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77 - Patch
References () https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3 - () https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3 - Patch
References () https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee - () https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee - Patch

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: corrige los errores causados por el rastreador de latencia irqsoff trace_hardirqs_{on,off}() requiere que la persona que llama configure el puntero del marco correctamente. Esto se debe a que estas dos funciones utilizan la macro 'CALLER_ADDR1' (también conocida como __builtin_return_address(1)) para adquirir información de la persona que llama. Si $fp se usa para otro propósito, el código generado en esta macro (como se muestra a continuación) podría provocar una falla de acceso a la memoria. 0xffffffff8011510e &lt;+80&gt;: ld a1,-16(s0) 0xffffffff80115112 &lt;+84&gt;: ld s2,-8(a1) # &lt;-- error de paginación aquí El mensaje de ups durante el arranque si se compila con el rastreador 'irqoff' habilitado: [ 0.039615][T0] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 00000000000000f8 [0.041925][T0] Ups [#1] [0.042063][T0] Módulos vinculados en: [0.042864][T0] CPU: 0 PID: 0 Comm : swapper/0 No contaminado 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Nombre de hardware: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601] [T0] ra: restaurar_all+0x12/0x6e [0.044721][T0] epc: ffffffff80126a5c ra: ffffffff80003b94 sp: ffffffff81403db0 [0.044801][T0] gp: ffffffff8163acd8 tp: ffffffff81414880 t0: 0000000000000020 [0.044882][T0] t1: 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2: 0000000000000000 a3: 0000000000000000 a4: 0000000000000000 [0.045124][T0] a5: 00000000000000000 a6: 0000000000000000 a7: 000000 0054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 00000000000000000 [ 0.045474][ T0 ] s11: 0000000000000000 t3: 7ffffffffffffff t4: 0000000000000000 [0.045548][T0] t5: 0000000000000000 t6: ffffffff814aa368 [0.045620][T0] 0000000200000100 badaddr: 00000000000000f8 causa: 000000000000000d [ 0.046402][ T0] [] restaurar_todo+ 0x12/0x6e Esto porque el $fp(aka. $s0) el registro no se utiliza como puntero de marco en el código de entrada del ensamblado. resume_kernel: reg_l s0, task_ti_preempt_count (tp) bnez s0, restaure_all reg_l s0, task_ti_flags (tp) andi s0, s0, _tif_need_resched beqz s0, restaure_all call preempt_schedul S_ { on,off}() para que puedan ser llamados de forma segura mediante un código de entrada de bajo nivel.

22 Aug 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-22 02:15

Updated : 2024-09-12 12:52

NVD link : CVE-2022-48922

Mitre link : CVE-2022-48922

CVE.ORG link : CVE-2022-48922

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference