CVE-2022-49801 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix memory leak in tracing_read_pipe()
kmemleak reports this issue:
unreferenced object 0xffff888105a18900 (size 128): comm "test_progs", pid 18933, jiffies 4336275356 (age 22801.766s) hex dump (first 32 bytes): 25 73 00 90 81 88 ff ff 26 05 00 00 42 01 58 04 %s......&...B.X. 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000560143a1>] __kmalloc_node_track_caller+0x4a/0x140
[<000000006af00822>] krealloc+0x8d/0xf0
[<00000000c309be6a>] trace_iter_expand_format+0x99/0x150
[<000000005a53bdb6>] trace_check_vprintf+0x1e0/0x11d0
[<0000000065629d9d>] trace_event_printf+0xb6/0xf0
[<000000009a690dc7>] trace_raw_output_bpf_trace_printk+0x89/0xc0
[<00000000d22db172>] print_trace_line+0x73c/0x1480
[<00000000cdba76ba>] tracing_read_pipe+0x45c/0x9f0
[<0000000015b58459>] vfs_read+0x17b/0x7c0
[<000000004aeee8ed>] ksys_read+0xed/0x1c0
[<0000000063d3d898>] do_syscall_64+0x3b/0x90
[<00000000a06dda7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
iter->fmt alloced in tracing_read_pipe() -> .. ->trace_iter_expand_format(), but not freed, to fix, add free in tracing_release_pipe()
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability identified as CVE-2022-49801 represents a memory leak within the Linux kernel's tracing subsystem, specifically affecting the tracing_read_pipe() function. This issue was detected through kmemleak analysis which identified an unreferenced object of 128 bytes that remained allocated in memory for over 22,800 seconds. The memory leak occurs when the kernel's trace iteration functionality fails to properly release allocated memory resources during the tracing process. The object in question was allocated by the __kmalloc_node_track_caller function and subsequently passed through multiple kernel functions including krealloc, trace_iter_expand_format, and trace_event_printf before reaching the final point of failure in tracing_read_pipe. The leak manifests when the tracing subsystem processes BPF trace print statements, particularly during raw output operations through trace_raw_output_bpf_trace_printk. This vulnerability falls under the CWE-401 category of "Improper Release of Memory" and represents a classic case of resource management failure where allocated kernel memory is not properly deallocated. The affected kernel function tracing_read_pipe() allocates memory for format expansion through trace_iter_expand_format but fails to ensure proper cleanup during the release phase. This type of memory leak can lead to gradual system memory exhaustion over time, particularly in systems with heavy tracing activity or frequent BPF trace operations. The ATT&CK framework categorizes this as a resource exhaustion technique under T1499.001 - Resource Exhaustion, where insufficient memory management can cause system instability and performance degradation. The specific call path shows the allocation occurs during the processing of trace events, particularly when handling printf-style formatting operations in BPF tracing contexts, making it particularly relevant for systems employing extensive kernel tracing for debugging or monitoring purposes. The vulnerability is particularly concerning because it affects core kernel functionality and can persist across system operations, potentially leading to denial of service conditions or degraded system performance. The fix requires adding proper memory cleanup in the tracing_release_pipe() function to ensure that memory allocated in the tracing_read_pipe() call chain is properly freed, preventing the accumulation of unreferenced objects in kernel memory space. This type of memory leak demonstrates the critical importance of proper resource management in kernel code and highlights the potential for seemingly minor resource management issues to have significant operational impacts on system stability and security. The vulnerability affects all Linux kernel versions that implement the tracing subsystem with BPF trace capabilities and represents a fundamental flaw in the kernel's memory management for tracing operations.