CVE-2022-49796 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit()
When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it will goto delete, which will call kprobe_event_delete() and release the corresponding resource. However, the trace_array in gen_kretprobe_test will point to the invalid resource. Set gen_kretprobe_test to NULL after called kprobe_event_delete() to prevent null-ptr-deref.
BUG: kernel NULL pointer dereference, address: 0000000000000070 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI
CPU: 0 PID: 246 Comm: modprobe Tainted: G W 6.1.0-rc1-00174-g9522dc5c87da-dirty #248 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0 Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c 01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65 70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000 RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064 R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000 FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __ftrace_set_clr_event+0x3e/0x60 trace_array_set_clr_event+0x35/0x50 ? 0xffffffffa0000000 kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test]
__x64_sys_delete_module+0x206/0x380 ? lockdep_hardirqs_on_prepare+0xd8/0x190 ? syscall_enter_from_user_mode+0x1c/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f89eeb061b7
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability described in CVE-2022-49796 resides within the Linux kernel's tracing subsystem, specifically in the kprobe functionality that enables dynamic tracing of kernel functions. This flaw manifests as a potential null pointer dereference during the execution of kprobe event generation tests, particularly when the test command fails after a certain execution phase. The issue occurs in the kprobe_event_gen_test_exit() function where the trace_array pointer becomes invalid, leading to a kernel oops and potential system crash. The problem stems from improper resource management during error handling paths, where the kprobe_event_delete() function is called to release resources, but the gen_kretprobe_test pointer is not properly cleared afterward.
The technical root cause involves a race condition and improper state management within the kernel's tracing infrastructure. When test_gen_kprobe_cmd() fails after kprobe_event_gen_cmd_end() has been executed, the code path transitions to a delete label that invokes kprobe_event_delete(). This function releases the associated resources, but fails to nullify the gen_kretprobe_test pointer reference. Subsequently, when the system attempts to access this trace_array, it encounters a null pointer dereference at address 0x70, which corresponds to a memory access violation in the kernel's event tracing mechanism. This behavior aligns with CWE-476, which describes null pointer dereference vulnerabilities, and represents a classic case of improper resource cleanup in kernel space.
The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to denial of service conditions that compromise system stability and availability. An attacker who can trigger the specific failure condition could potentially cause kernel panics, system reboots, or even facilitate more sophisticated attacks by leveraging the kernel's instability. The vulnerability affects systems running kernel versions that include the problematic tracing code, particularly those utilizing kprobe functionality for debugging or monitoring purposes. The attack surface is primarily limited to kernel module loading operations and tracing subsystem interactions, but the consequences can be severe as they affect the fundamental kernel stability. This vulnerability directly maps to ATT&CK technique T1068, which involves exploiting privileges to gain elevated access, and more specifically targets the kernel's privilege escalation mechanisms through system instability.
Mitigation strategies for CVE-2022-49796 involve applying the kernel patch that properly sets gen_kretprobe_test to NULL after kprobe_event_delete() is called, ensuring that subsequent accesses to the trace_array will not result in null pointer dereferences. System administrators should update to kernel versions that include this fix, typically those incorporating the specific commit that resolves the issue. Additionally, monitoring systems for kernel oops messages or unexpected system crashes can help identify potential exploitation attempts. The fix implemented addresses the immediate resource management issue by ensuring proper pointer invalidation, preventing the kernel from accessing freed memory structures. Organizations should also consider implementing kernel hardening measures such as kernel page table isolation and other security mitigations that can reduce the attack surface and prevent exploitation of similar vulnerabilities in the tracing subsystem.