CVE-2022-49797 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit()
When trace_get_event_file() failed, gen_kretprobe_test will be assigned as the error code. If module kprobe_event_gen_test is removed now, the null pointer dereference will happen in kprobe_event_gen_test_exit(). Check if gen_kprobe_test or gen_kretprobe_test is error code or NULL before dereference them.
BUG: kernel NULL pointer dereference, address: 0000000000000012 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI
CPU: 3 PID: 2210 Comm: modprobe Not tainted 6.1.0-rc1-00171-g2159299a3b74-dirty #217 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:kprobe_event_gen_test_exit+0x1c/0xb5 [kprobe_event_gen_test]
Code: Unable to access opcode bytes at 0xffffffff9ffffff2. RSP: 0018:ffffc900015bfeb8 EFLAGS: 00010246 RAX: ffffffffffffffea RBX: ffffffffa0002080 RCX: 0000000000000000 RDX: ffffffffa0001054 RSI: ffffffffa0001064 RDI: ffffffffdfc6349c RBP: ffffffffa0000000 R08: 0000000000000004 R09: 00000000001e95c0 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000800 R13: ffffffffa0002420 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f56b75be540(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff9ffffff2 CR3: 000000010874a006 CR4: 0000000000330ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __x64_sys_delete_module+0x206/0x380 ? lockdep_hardirqs_on_prepare+0xd8/0x190 ? syscall_enter_from_user_mode+0x1c/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability described in CVE-2022-49797 resides within the Linux kernel's tracing subsystem, specifically in the kprobe functionality that enables dynamic tracing of kernel functions. This issue manifests as a potential null pointer dereference occurring in the kprobe_event_gen_test_exit() function, which is part of the kernel's tracing infrastructure designed to support kernel function tracing and debugging. The flaw arises from improper handling of error conditions during the initialization of kprobe trace events, creating a scenario where kernel memory corruption can occur when attempting to clean up trace event resources.
The technical root cause of this vulnerability stems from a race condition and inadequate validation during the kprobe event setup process. When the trace_get_event_file() function fails to retrieve or initialize a trace event file, it returns an error code that gets assigned to either gen_kprobe_test or gen_kretprobe_test variables. These variables are then later dereferenced in the kprobe_event_gen_test_exit() function without proper checks to determine if they contain valid pointers or error codes. This pattern violates standard kernel programming practices and represents a classic null pointer dereference vulnerability that can lead to system crashes or potentially exploitable conditions.
The operational impact of this vulnerability extends beyond simple system instability, as it can result in kernel oops messages and system crashes that may be difficult to diagnose and recover from. The reported kernel crash occurs at address 0x0000000000000012, indicating a severe memory access violation that typically leads to immediate system termination. This vulnerability affects systems running kernel versions that include the problematic tracing code and can be triggered through module loading and unloading operations, particularly when dealing with kprobe-based tracing modules. The crash occurs in the context of the modprobe utility, suggesting that the vulnerability can be exploited through module management operations that are common in system administration and kernel development activities.
The fix for this vulnerability involves implementing proper validation checks before dereferencing the gen_kprobe_test and gen_kretprobe_test variables. This solution aligns with the principles of secure kernel programming and follows the CWE-476 principle of null pointer dereference prevention. The mitigation strategy requires checking whether these variables contain valid pointers or error codes before attempting to access their contents, effectively preventing the kernel from attempting to dereference null or invalid memory locations. This approach aligns with the ATT&CK technique of privilege escalation through kernel vulnerabilities, as it prevents potential exploitation that could lead to unauthorized system access or privilege escalation. The vulnerability is particularly concerning because it affects the kernel's ability to safely manage trace events, which are fundamental components of system monitoring and debugging capabilities, making it a critical security issue for any system relying on kernel tracing functionality.