CVE-2022-49885 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()

Change num_ghes from int to unsigned int, preventing an overflow and causing subsequent vmalloc() to fail.

The overflow happens in ghes_estatus_pool_init() when calculating len during execution of the statement below as both multiplication operands here are signed int:

len += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE);

The following call trace is observed because of this bug:

[ 9.317108] swapper/0: vmalloc error: size 18446744071562596352, exceeds total pages, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0-1
[ 9.317131] Call Trace:
[ 9.317134]
[ 9.317137] dump_stack_lvl+0x49/0x5f
[ 9.317145] dump_stack+0x10/0x12
[ 9.317146] warn_alloc.cold+0x7b/0xdf
[ 9.317150] ? __device_attach+0x16a/0x1b0
[ 9.317155] __vmalloc_node_range+0x702/0x740
[ 9.317160] ? device_add+0x17f/0x920
[ 9.317164] ? dev_set_name+0x53/0x70
[ 9.317166] ? platform_device_add+0xf9/0x240
[ 9.317168] __vmalloc_node+0x49/0x50
[ 9.317170] ? ghes_estatus_pool_init+0x43/0xa0
[ 9.317176] vmalloc+0x21/0x30
[ 9.317177] ghes_estatus_pool_init+0x43/0xa0
[ 9.317179] acpi_hest_init+0x129/0x19c
[ 9.317185] acpi_init+0x434/0x4a4
[ 9.317188] ? acpi_sleep_proc_init+0x2a/0x2a
[ 9.317190] do_one_initcall+0x48/0x200
[ 9.317195] kernel_init_freeable+0x221/0x284
[ 9.317200] ? rest_init+0xe0/0xe0
[ 9.317204] kernel_init+0x1a/0x130
[ 9.317205] ret_from_fork+0x22/0x30
[ 9.317208]

[ rjw: Subject and changelog edits ]

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/15/2025

The vulnerability described in CVE-2022-49885 resides within the Linux kernel's Advanced Configuration and Power Interface (ACPI) subsystem, specifically within the APEI (ACPI Platform Error Interface) component. This flaw manifests as an integer overflow in the ghes_estatus_pool_init() function, which is responsible for initializing error status pools for hardware error reporting. The issue stems from a type casting inconsistency where the variable num_ghes is declared as a signed integer rather than an unsigned integer, creating a potential for arithmetic overflow during critical calculations.

The technical execution of this vulnerability occurs when the system attempts to calculate the memory allocation size for error status structures through the expression len += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE). Since both operands in this multiplication are signed integers, a large value for num_ghes can cause the multiplication to overflow the signed integer range, resulting in a negative or unexpectedly large positive value. This overflowed value then gets passed to vmalloc() which interprets it as a memory allocation request, leading to a kernel memory allocation failure. The call trace demonstrates this failure occurring during kernel initialization when the system attempts to allocate approximately 18446744071562596352 bytes of memory, which far exceeds available system resources and triggers the vmalloc error.

The operational impact of this vulnerability is significant as it can cause system boot failures or kernel panics during the early boot process when the ACPI subsystem initializes. Systems affected by this vulnerability may experience complete system crashes or be unable to boot properly, particularly in environments with a large number of hardware error sources. The vulnerability affects systems running Linux kernels that include the specific commit addressing this issue, making it a critical concern for enterprise and server environments where reliable system boot and error reporting are essential. This flaw represents a classic case of integer overflow in kernel space, which can be exploited to cause denial of service conditions and potentially provide attackers with opportunities to disrupt system operations.

The fix for this vulnerability involves changing the declaration of num_ghes from int to unsigned int, which prevents the arithmetic overflow that occurs during multiplication operations. This change aligns with common security practices for handling counters and size calculations in kernel code, where unsigned integers are preferred for values that represent counts or memory sizes to avoid signed integer overflow scenarios. The mitigation approach follows established security principles for kernel development and aligns with CWE-190, which addresses integer overflow and underflow conditions. This vulnerability also relates to ATT&CK technique T1499.001, which covers system network configuration modification, as the failure can affect system initialization and network availability. Organizations should prioritize applying the kernel update containing this fix to prevent potential boot failures and maintain system stability, particularly in mission-critical environments where system reliability is paramount. The vulnerability demonstrates the importance of careful integer type selection in kernel space programming and highlights the need for comprehensive testing of arithmetic operations that could lead to memory allocation failures.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00190

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!