CVE-2022-49802 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix null pointer dereference in ftrace_add_mod()
The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next}
of @ftrace_mode->list are NULL, it's not a valid state to call list_del(). If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free
tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del() will write prev->next and next->prev, where null pointer dereference happens.
BUG: kernel NULL pointer dereference, address: 0000000000000008 Oops: 0002 [#1] PREEMPT SMP NOPTI
Call Trace: <TASK> ftrace_mod_callback+0x20d/0x220 ? do_filp_open+0xd9/0x140 ftrace_process_regex.isra.51+0xbf/0x130 ftrace_regex_write.isra.52.part.53+0x6e/0x90 vfs_write+0xee/0x3a0 ? __audit_filter_op+0xb1/0x100 ? auditd_test_task+0x38/0x50 ksys_write+0xa5/0xe0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Kernel panic - not syncing: Fatal exception
So call INIT_LIST_HEAD() to initialize the list member to fix this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability described in CVE-2022-49802 represents a critical null pointer dereference in the Linux kernel's function tracing subsystem, specifically within the ftrace_add_mod() function. This flaw exists in the kernel's ftrace module which is responsible for dynamic function tracing capabilities used for debugging and performance analysis. The issue manifests when the kernel attempts to manipulate linked list structures during function tracing setup operations, creating a scenario where memory management errors can lead to system crashes and potential security implications.
The technical root cause stems from improper initialization of the ftrace_mod structure's list members. When ftrace_mod is allocated using kzalloc(), the memory is zeroed but the list structure members prev and next remain NULL, creating an invalid state. The vulnerability occurs during the execution path where kstrdup() operations for the func or module fields may fail, triggering a goto statement to the out_free label. At this point, free_ftrace_mod() is called to destroy the ftrace_mod structure, but the subsequent list_del() operation attempts to access the prev->next and next->prev pointers which are NULL, resulting in the kernel NULL pointer dereference that crashes the system.
This vulnerability directly relates to CWE-476 which describes null pointer dereference conditions in software systems. The flaw demonstrates poor error handling in kernel memory management where the expected state of linked list structures is not properly maintained during error recovery paths. The kernel panic and system crash described in the stack trace indicate that this vulnerability can be exploited to cause denial of service conditions, potentially allowing attackers to crash the system or in more severe cases, potentially leading to privilege escalation depending on the attack surface. The call trace shows the execution path leading through ftrace_mod_callback, ftrace_process_regex, and eventually to vfs_write, demonstrating how this vulnerability can be triggered through normal kernel operations.
The operational impact of this vulnerability extends beyond simple system crashes as it affects the stability and reliability of systems relying on kernel function tracing capabilities. In production environments, this could lead to unexpected system downtime, particularly in systems using extensive kernel debugging or monitoring features. The vulnerability is particularly concerning because it occurs in the kernel's core tracing infrastructure, making it difficult to predict or prevent through user-space mitigations. The fix implemented involves calling INIT_LIST_HEAD() to properly initialize the list members, ensuring that even in error conditions, the linked list structure maintains valid pointers and prevents the null dereference scenario.
Mitigation strategies for this vulnerability include immediate kernel updates to patched versions containing the fix, which properly initializes the ftrace_mod list structure before any operations that might trigger error recovery paths. System administrators should prioritize patching systems running affected kernel versions, particularly those utilizing ftrace functionality for debugging or monitoring purposes. The vulnerability also highlights the importance of proper memory management and error handling in kernel code, emphasizing that even seemingly simple operations like list manipulation require careful consideration of all execution paths including error recovery scenarios. Security teams should monitor for potential exploitation attempts targeting this vulnerability, as it could be leveraged in privilege escalation attacks or as part of broader exploitation campaigns targeting kernel-level vulnerabilities.