cve-2022-49888
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-01 14:10
Severity ?
EPSS score ?
Summary
arm64: entry: avoid kprobe recursion
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/entry-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d6c33fe223255f4416a01514da2c0bc3e283e7",
"status": "affected",
"version": "6459b8469753e9feaa8b34691d097cffad905931",
"versionType": "git"
},
{
"lessThan": "db66629d43b2d12cb43b004a4ca6be1d03228e97",
"status": "affected",
"version": "6459b8469753e9feaa8b34691d097cffad905931",
"versionType": "git"
},
{
"lessThan": "024f4b2e1f874934943eb2d3d288ebc52c79f55c",
"status": "affected",
"version": "6459b8469753e9feaa8b34691d097cffad905931",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/entry-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: avoid kprobe recursion\n\nThe cortex_a76_erratum_1463225_debug_handler() function is called when\nhandling debug exceptions (and synchronous exceptions from BRK\ninstructions), and so is called when a probed function executes. If the\ncompiler does not inline cortex_a76_erratum_1463225_debug_handler(), it\ncan be probed.\n\nIf cortex_a76_erratum_1463225_debug_handler() is probed, any debug\nexception or software breakpoint exception will result in recursive\nexceptions leading to a stack overflow. This can be triggered with the\nftrace multiple_probes selftest, and as per the example splat below.\n\nThis is a regression caused by commit:\n\n 6459b8469753e9fe (\"arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround\")\n\n... which removed the NOKPROBE_SYMBOL() annotation associated with the\nfunction.\n\nMy intent was that cortex_a76_erratum_1463225_debug_handler() would be\ninlined into its caller, el1_dbg(), which is marked noinstr and cannot\nbe probed. Mark cortex_a76_erratum_1463225_debug_handler() as\n__always_inline to ensure this.\n\nExample splat prior to this patch (with recursive entries elided):\n\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\n| # echo p do_el0_svc \u003e\u003e /sys/kernel/debug/tracing/kprobe_events\n| # echo 1 \u003e /sys/kernel/debug/tracing/events/kprobes/enable\n| Insufficient stack space to handle exception!\n| ESR: 0x0000000096000047 -- DABT (current EL)\n| FAR: 0xffff800009cefff0\n| Task stack: [0xffff800009cf0000..0xffff800009cf4000]\n| IRQ stack: [0xffff800008000000..0xffff800008004000]\n| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : arm64_enter_el1_dbg+0x4/0x20\n| lr : el1_dbg+0x24/0x5c\n| sp : ffff800009cf0000\n| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000\n| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068\n| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000\n| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0\n| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4\n| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040\n| Kernel panic - not syncing: kernel stack overflow\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xe4/0x104\n| show_stack+0x18/0x4c\n| dump_stack_lvl+0x64/0x7c\n| dump_stack+0x18/0x38\n| panic+0x14c/0x338\n| test_taint+0x0/0x2c\n| panic_bad_stack+0x104/0x118\n| handle_bad_stack+0x34/0x48\n| __bad_stack+0x78/0x7c\n| arm64_enter_el1_dbg+0x4/0x20\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| do_el0_svc+0x0/0x28\n| el0t_64_sync_handler+0x84/0xf0\n| el0t_64_sync+0x18c/0x190\n| Kernel Offset: disabled\n| CPU features: 0x0080,00005021,19001080\n| Memory Limit: none\n| ---[ end Kernel panic - not syncing: kernel stack overflow ]---\n\nWith this patch, cortex_a76_erratum_1463225_debug_handler() is inlined\ninto el1_dbg(), and el1_dbg() cannot be probed:\n\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\n| sh: write error: No such file or directory\n| # grep -w cortex_a76_errat\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T14:10:33.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d6c33fe223255f4416a01514da2c0bc3e283e7"
},
{
"url": "https://git.kernel.org/stable/c/db66629d43b2d12cb43b004a4ca6be1d03228e97"
},
{
"url": "https://git.kernel.org/stable/c/024f4b2e1f874934943eb2d3d288ebc52c79f55c"
}
],
"title": "arm64: entry: avoid kprobe recursion",
"x_generator": {
"engine": "bippy-1.1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49888",
"datePublished": "2025-05-01T14:10:33.183Z",
"dateReserved": "2025-05-01T14:05:17.242Z",
"dateUpdated": "2025-05-01T14:10:33.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49888\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:13.790\",\"lastModified\":\"2025-05-01T15:16:13.790\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: entry: avoid kprobe recursion\\n\\nThe cortex_a76_erratum_1463225_debug_handler() function is called when\\nhandling debug exceptions (and synchronous exceptions from BRK\\ninstructions), and so is called when a probed function executes. If the\\ncompiler does not inline cortex_a76_erratum_1463225_debug_handler(), it\\ncan be probed.\\n\\nIf cortex_a76_erratum_1463225_debug_handler() is probed, any debug\\nexception or software breakpoint exception will result in recursive\\nexceptions leading to a stack overflow. This can be triggered with the\\nftrace multiple_probes selftest, and as per the example splat below.\\n\\nThis is a regression caused by commit:\\n\\n 6459b8469753e9fe (\\\"arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround\\\")\\n\\n... which removed the NOKPROBE_SYMBOL() annotation associated with the\\nfunction.\\n\\nMy intent was that cortex_a76_erratum_1463225_debug_handler() would be\\ninlined into its caller, el1_dbg(), which is marked noinstr and cannot\\nbe probed. Mark cortex_a76_erratum_1463225_debug_handler() as\\n__always_inline to ensure this.\\n\\nExample splat prior to this patch (with recursive entries elided):\\n\\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\\n| # echo p do_el0_svc \u003e\u003e /sys/kernel/debug/tracing/kprobe_events\\n| # echo 1 \u003e /sys/kernel/debug/tracing/events/kprobes/enable\\n| Insufficient stack space to handle exception!\\n| ESR: 0x0000000096000047 -- DABT (current EL)\\n| FAR: 0xffff800009cefff0\\n| Task stack: [0xffff800009cf0000..0xffff800009cf4000]\\n| IRQ stack: [0xffff800008000000..0xffff800008004000]\\n| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]\\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\\n| Hardware name: linux,dummy-virt (DT)\\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n| pc : arm64_enter_el1_dbg+0x4/0x20\\n| lr : el1_dbg+0x24/0x5c\\n| sp : ffff800009cf0000\\n| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000\\n| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\\n| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068\\n| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000\\n| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\n| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\\n| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0\\n| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000\\n| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4\\n| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040\\n| Kernel panic - not syncing: kernel stack overflow\\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\\n| Hardware name: linux,dummy-virt (DT)\\n| Call trace:\\n| dump_backtrace+0xe4/0x104\\n| show_stack+0x18/0x4c\\n| dump_stack_lvl+0x64/0x7c\\n| dump_stack+0x18/0x38\\n| panic+0x14c/0x338\\n| test_taint+0x0/0x2c\\n| panic_bad_stack+0x104/0x118\\n| handle_bad_stack+0x34/0x48\\n| __bad_stack+0x78/0x7c\\n| arm64_enter_el1_dbg+0x4/0x20\\n| el1h_64_sync_handler+0x40/0x98\\n| el1h_64_sync+0x64/0x68\\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\\n...\\n| el1h_64_sync_handler+0x40/0x98\\n| el1h_64_sync+0x64/0x68\\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\\n...\\n| el1h_64_sync_handler+0x40/0x98\\n| el1h_64_sync+0x64/0x68\\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\\n| el1h_64_sync_handler+0x40/0x98\\n| el1h_64_sync+0x64/0x68\\n| do_el0_svc+0x0/0x28\\n| el0t_64_sync_handler+0x84/0xf0\\n| el0t_64_sync+0x18c/0x190\\n| Kernel Offset: disabled\\n| CPU features: 0x0080,00005021,19001080\\n| Memory Limit: none\\n| ---[ end Kernel panic - not syncing: kernel stack overflow ]---\\n\\nWith this patch, cortex_a76_erratum_1463225_debug_handler() is inlined\\ninto el1_dbg(), and el1_dbg() cannot be probed:\\n\\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\\n| sh: write error: No such file or directory\\n| # grep -w cortex_a76_errat\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/024f4b2e1f874934943eb2d3d288ebc52c79f55c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/71d6c33fe223255f4416a01514da2c0bc3e283e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db66629d43b2d12cb43b004a4ca6be1d03228e97\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.