CVE-2022-48940 in Linux
Riassunto
di VulDB • 29/06/2026
Based on the stack trace provided, here is an analysis of what happened and how to proceed.
### **Summary** This is a **kernel crash (Oops/Panic)** occurring in user-space context during a `nanosleep` system call. The critical indicator is: - **RIP**: Points to user-space library code (`0x7f9e4831718d`). - **ORIG_RAX**: `0x23` = System Call Number 35, which corresponds to **`nanosleep`** on x86_64. - The crash happened while executing user-space code that was invoked via a BPF trampoline (`bpf_trampoline_...`).
---
### **Key Observations & Analysis**
#### 1. **The Crash Location is User-Space, Not Kernel** ```text RIP: 0033:0x7f9e4831718d Code: ... f3 0f 1e fa 48 89 f8 ... ``` - The `RIP` register points to a user-space address (`0x7f...`). This is **not** a kernel function. - The crash occurred in the process of executing a system call or library function that was intercepted/modified by BPF (eBPF).
#### 2. **BPF Trampoline Involvement** ```text bpf_trampoline_6442477838_0+0x36/0x1000 __x64_sys_nanosleep+0x5/0x140 do_syscall_64+0x59/0x80 ``` - The kernel was handling the `nanosleep` syscall. - A BPF program (likely a **kprobe**, **tracepoint**, or **fentry/fexit** probe) attached to `sys_nanosleep` triggered a trampoline. - The crash happened in user-space code that was somehow executed as part of this flow, which is unusual unless: - The BPF program incorrectly modified registers/memory before returning to user space. - A **user-mode BPF** (eBPF) or **XDP/TC** filter caused a fault during syscall return path. - There’s a bug in the kernel’s handling of BPF trampolines when interacting with certain glibc/libc implementations.
#### 3. **Error Code: `RAX = ffffffffffffffda` (-42)** - `-42` is **-ENOTSUPP** (Operation not supported) or sometimes used for other errors depending on context, but in syscall return values, it often indicates an invalid argument or unsupported operation. However, since the crash happened *during* execution, this might be a leftover value from before the fault.
#### 4. **Possible Causes** - **BPF Program Bug**: A BPF program attached to `sys_nanosleep` may have corrupted user-space registers or stack pointers before returning. - **glibc/libc Issue**: The crash address (`0x7f9e4831718d`) likely belongs to a shared library (e.g., `libpthread.so`, `libc.so`). Check which binary/library this address maps to: ```bash # On the crashing system, run: addr2line -e /path/to/libc.so.6 0x7f9e4831718d # or check with gdb if core dump is available ``` - **Kernel Bug**: A regression in how the kernel handles BPF trampolines during syscall return, especially on newer kernels (5.x/6.x).
---
### **How to Debug Further**
#### ✅ Step 1: Identify the User-Space Binary/Library Find which library contains `0x7f9e4831718d`: ```bash # If you have a core dump or can reproduce in gdb: gdb -c /path/to/corefile (gdb) info proc mappings (gdb) disassemble 0x7f9e4831718d ```
#### ✅ Step 2: Check for BPF Programs Attached to `sys_nanosleep` List all eBPF programs attached to the syscall: ```bash sudo bpftool prog list | grep nanosleep # or sudo bpftrace -e 'kprobe:sys_nanosleep { printf("nanosleep called\n"); }'
```
#### ✅ Step 3: Reproduce with Minimal BPF Programs Temporarily remove all eBPF programs attached to `syscalls` and see if the crash persists. If it stops
If you want to get the best quality for vulnerability data then you always have to consider VulDB.