CVE-2022-49801 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix memory leak in tracing_read_pipe()

kmemleak reports this issue:

unreferenced object 0xffff888105a18900 (size 128): comm "test_progs", pid 18933, jiffies 4336275356 (age 22801.766s) hex dump (first 32 bytes): 25 73 00 90 81 88 ff ff 26 05 00 00 42 01 58 04 %s......&...B.X. 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000560143a1>] __kmalloc_node_track_caller+0x4a/0x140
[<000000006af00822>] krealloc+0x8d/0xf0
[<00000000c309be6a>] trace_iter_expand_format+0x99/0x150
[<000000005a53bdb6>] trace_check_vprintf+0x1e0/0x11d0
[<0000000065629d9d>] trace_event_printf+0xb6/0xf0
[<000000009a690dc7>] trace_raw_output_bpf_trace_printk+0x89/0xc0
[<00000000d22db172>] print_trace_line+0x73c/0x1480
[<00000000cdba76ba>] tracing_read_pipe+0x45c/0x9f0
[<0000000015b58459>] vfs_read+0x17b/0x7c0
[<000000004aeee8ed>] ksys_read+0xed/0x1c0
[<0000000063d3d898>] do_syscall_64+0x3b/0x90
[<00000000a06dda7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

iter->fmt alloced in tracing_read_pipe() -> .. ->trace_iter_expand_format(), but not freed, to fix, add free in tracing_release_pipe()

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2022-49801 represents a memory leak within the Linux kernel's tracing subsystem, specifically affecting the tracing_read_pipe() function. This issue was detected through kmemleak analysis which identified an unreferenced object of 128 bytes that remained allocated in memory for over 22,800 seconds. The memory leak occurs when the kernel's trace iteration functionality fails to properly release allocated memory resources during the tracing process. The object in question was allocated by the __kmalloc_node_track_caller function and subsequently passed through multiple kernel functions including krealloc, trace_iter_expand_format, and trace_event_printf before reaching the final point of failure in tracing_read_pipe. The leak manifests when the tracing subsystem processes BPF trace print statements, particularly during raw output operations through trace_raw_output_bpf_trace_printk. This vulnerability falls under the CWE-401 category of "Improper Release of Memory" and represents a classic case of resource management failure where allocated kernel memory is not properly deallocated. The affected kernel function tracing_read_pipe() allocates memory for format expansion through trace_iter_expand_format but fails to ensure proper cleanup during the release phase. This type of memory leak can lead to gradual system memory exhaustion over time, particularly in systems with heavy tracing activity or frequent BPF trace operations. The ATT&CK framework categorizes this as a resource exhaustion technique under T1499.001 - Resource Exhaustion, where insufficient memory management can cause system instability and performance degradation. The specific call path shows the allocation occurs during the processing of trace events, particularly when handling printf-style formatting operations in BPF tracing contexts, making it particularly relevant for systems employing extensive kernel tracing for debugging or monitoring purposes. The vulnerability is particularly concerning because it affects core kernel functionality and can persist across system operations, potentially leading to denial of service conditions or degraded system performance. The fix requires adding proper memory cleanup in the tracing_release_pipe() function to ensure that memory allocated in the tracing_read_pipe() call chain is properly freed, preventing the accumulation of unreferenced objects in kernel memory space. This type of memory leak demonstrates the critical importance of proper resource management in kernel code and highlights the potential for seemingly minor resource management issues to have significant operational impacts on system stability and security. The vulnerability affects all Linux kernel versions that implement the tracing subsystem with BPF trace capabilities and represents a fundamental flaw in the kernel's memory management for tracing operations.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!