CVE-2022-49894 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Fix region HPA ordering validation
Some regions may not have any address space allocated. Skip them when validating HPA order otherwise a crash like the following may result:
devm_cxl_add_region: cxl_acpi cxl_acpi.0: decoder3.4: created region9 BUG: kernel NULL pointer dereference, address: 0000000000000000 [..]
RIP: 0010:store_targetN+0x655/0x1740 [cxl_core]
[..]
Call Trace: kernfs_fop_write_iter+0x144/0x200 vfs_write+0x24a/0x4d0 ksys_write+0x69/0xf0 do_syscall_64+0x3a/0x90
store_targetN+0x655/0x1740: alloc_region_ref at drivers/cxl/core/region.c:676 (inlined by) cxl_port_attach_region at drivers/cxl/core/region.c:850 (inlined by) cxl_region_attach at drivers/cxl/core/region.c:1290 (inlined by) attach_target at drivers/cxl/core/region.c:1410 (inlined by) store_targetN at drivers/cxl/core/region.c:1453
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/01/2025
The vulnerability CVE-2022-49894 represents a critical null pointer dereference issue within the Linux kernel's CXL (Compute Express Link) subsystem, specifically affecting the cxl/region component. This flaw manifests during the validation of HPA (Host Protected Area) ordering for CXL memory regions, where the kernel fails to properly handle regions that have not been allocated any address space. The vulnerability stems from inadequate input validation and error handling within the memory region management code, creating a scenario where the kernel attempts to dereference a null pointer when processing CXL region attachments.
The technical implementation of this vulnerability occurs in the drivers/cxl/core/region.c file where the store_targetN function attempts to validate HPA ordering without first checking if the region has allocated address space. When a CXL region lacks address space allocation, the system proceeds to call alloc_region_ref which returns a null pointer, leading to the subsequent null pointer dereference in the store_targetN function. This failure point is particularly dangerous because it occurs during the kernel's normal operation when attaching CXL regions, making it exploitable through legitimate kernel operations rather than requiring special privileges or malicious input.
The operational impact of this vulnerability is severe as it can cause immediate system crashes and kernel panics, resulting in complete system downtime. The crash pattern shows a classic kernel NULL pointer dereference with the RIP (instruction pointer) pointing to store_targetN function, indicating that the kernel's memory management subsystem fails catastrophically when encountering improperly initialized CXL regions. This vulnerability affects systems utilizing CXL memory controllers and can potentially lead to denial of service attacks against systems running Linux kernels with CXL support, particularly in data center and high-performance computing environments where CXL technology is prevalent.
Mitigation strategies for CVE-2022-49894 involve applying the official kernel patch that introduces proper null pointer checks before attempting to validate HPA ordering for CXL regions. System administrators should prioritize updating to kernel versions that include the fix, typically kernel versions 5.19.12 or later, as these releases contain the necessary validation logic to skip regions without allocated address space. Additionally, organizations should implement monitoring for kernel crash logs and system stability indicators to detect potential exploitation attempts. The vulnerability aligns with CWE-476 which describes NULL pointer dereference issues, and may be relevant to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should also consider implementing kernel lockdown mechanisms and ensuring proper kernel version management to prevent similar issues in other subsystems.