CVE-2022-48922 in Linux
Summary
by MITRE • 08/22/2024
In the Linux kernel, the following vulnerability has been resolved:
riscv: fix oops caused by irqsoff latency tracer
The trace_hardirqs_{on,off}() require the caller to setup frame pointer
properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault.
0xffffffff8011510e : ld a1,-16(s0) 0xffffffff80115112 : ld s2,-8(a1) # <-- paging fault here
The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8
[ 0.041925][ T0] Oops [#1]
[ 0.042063][ T0] Modules linked in:
[ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29
[ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT)
[ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2
[ 0.044601][ T0] ra : restore_all+0x12/0x6e
[ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0
[ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020
[ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0
[ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100
[ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000
[ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45
[ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50
[ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8
[ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000
[ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000
[ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368
[ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d
[ 0.046402][ T0] [] restore_all+0x12/0x6e
This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code.
resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all
To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry
code.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/12/2024
The vulnerability identified as CVE-2022-48922 affects the Linux kernel's handling of interrupt tracing on RISC-V architecture systems. This issue stems from improper frame pointer management within the trace_hardirqs_on and trace_hardirqs_off functions, which are critical components of the kernel's latency tracing infrastructure. The functions rely on the CALLER_ADDR1 macro, which internally uses __builtin_return_address(1) to obtain caller information, making them dependent on proper frame pointer setup. When the frame pointer register is repurposed for other operations within the assembly entry code, as occurs in the RISC-V kernel's resume_kernel function, the generated code can trigger memory access faults during kernel boot processes.
The technical flaw manifests when the kernel attempts to access memory locations using an invalid frame pointer reference, specifically causing a NULL pointer dereference at virtual address 00000000000000f8 during boot operations when the irqoff tracer is enabled. The oops message demonstrates the failure occurring in trace_hardirqs_on function with a paging fault at the instruction ld s2,-8(a1), indicating that the frame pointer setup has been corrupted or misused. This vulnerability is particularly concerning because it affects kernel boot processes and can prevent system initialization from completing successfully, potentially leading to system crashes or complete boot failures.
The operational impact of this vulnerability extends beyond simple system crashes to encompass potential denial of service scenarios and system instability during critical boot phases. Attackers could potentially exploit this flaw to cause system-wide failures or create conditions where the kernel cannot properly initialize interrupt handling mechanisms. The vulnerability is specific to RISC-V architecture implementations and affects kernel versions including 5.17.0-rc1, making it particularly relevant for embedded systems, virtualized environments, and devices running RISC-V based operating systems. The issue affects systems using the irqoff tracer functionality, which is commonly enabled for debugging and performance monitoring purposes.
The fix implemented for this vulnerability involves adding an extra wrapper level for the trace_hardirqs_on and trace_hardirqs_off functions to ensure they can be safely invoked by low-level entry code without requiring proper frame pointer setup. This approach addresses the underlying architectural mismatch between the tracing functions' expectations and the actual register usage in the RISC-V kernel entry path. The solution aligns with common security practices for kernel-level vulnerabilities and follows the principle of least privilege by ensuring that tracing functions do not rely on potentially corrupted or misused frame pointer registers. This fix prevents the memory access faults that occur when the frame pointer register is repurposed in assembly entry code, thereby restoring proper kernel boot functionality and interrupt handling capabilities.
This vulnerability relates to CWE-122, which describes heap-based buffer overflow conditions, and represents a specific case of improper memory access due to frame pointer corruption. The issue also maps to ATT&CK technique T1490, which involves system network configuration modification, as it affects fundamental interrupt handling mechanisms. The vulnerability demonstrates the importance of proper frame pointer management in kernel code and highlights the risks associated with tracing infrastructure in architecture-specific kernel implementations. The fix ensures that kernel tracing functions maintain their intended functionality while avoiding architectural conflicts that could lead to system instability or crashes during boot processes.