cve-2022-49892
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-01 14:10
Severity ?
Summary
ftrace: Fix use-after-free for dynamic ftrace_ops
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0e792b89e6800cd9cb4757a76a96f7ef3e8b6294
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/88561a66777e7a2fe06638c6dcb22a9fae0b6733
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ea5f2fd4640ecbb9df969bf8bb27733ae2183169
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ea5f2fd4640ecbb9df969bf8bb27733ae2183169",
              "status": "affected",
              "version": "edb096e00724f02db5f6ec7900f3bbd465c6c76f",
              "versionType": "git"
            },
            {
              "lessThan": "88561a66777e7a2fe06638c6dcb22a9fae0b6733",
              "status": "affected",
              "version": "edb096e00724f02db5f6ec7900f3bbd465c6c76f",
              "versionType": "git"
            },
            {
              "lessThan": "cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c",
              "status": "affected",
              "version": "edb096e00724f02db5f6ec7900f3bbd465c6c76f",
              "versionType": "git"
            },
            {
              "lessThan": "0e792b89e6800cd9cb4757a76a96f7ef3e8b6294",
              "status": "affected",
              "version": "edb096e00724f02db5f6ec7900f3bbd465c6c76f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix use-after-free for dynamic ftrace_ops\n\nKASAN reported a use-after-free with ftrace ops [1]. It was found from\nvmcore that perf had registered two ops with the same content\nsuccessively, both dynamic. After unregistering the second ops, a\nuse-after-free occurred.\n\nIn ftrace_shutdown(), when the second ops is unregistered, the\nFTRACE_UPDATE_CALLS command is not set because there is another enabled\nops with the same content.  Also, both ops are dynamic and the ftrace\ncallback function is ftrace_ops_list_func, so the\nFTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value\nof \u0027command\u0027 will be 0 and ftrace_shutdown() will skip the rcu\nsynchronization.\n\nHowever, ftrace may be activated. When the ops is released, another CPU\nmay be accessing the ops.  Add the missing synchronization to fix this\nproblem.\n\n[1]\nBUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\nBUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\nRead of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468\n\nCPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132\n show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1b4/0x248 lib/dump_stack.c:118\n print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387\n __kasan_report mm/kasan/report.c:547 [inline]\n kasan_report+0x118/0x210 mm/kasan/report.c:564\n check_memory_region_inline mm/kasan/generic.c:187 [inline]\n __asan_load8+0x98/0xc0 mm/kasan/generic.c:253\n __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\n ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\n ftrace_graph_call+0x0/0x4\n __might_sleep+0x8/0x100 include/linux/perf_event.h:1170\n __might_fault mm/memory.c:5183 [inline]\n __might_fault+0x58/0x70 mm/memory.c:5171\n do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]\n strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139\n getname_flags+0xb0/0x31c fs/namei.c:149\n getname+0x2c/0x40 fs/namei.c:209\n [...]\n\nAllocated by task 14445:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc mm/kasan/common.c:479 [inline]\n __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493\n kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:675 [inline]\n perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230\n perf_event_alloc kernel/events/core.c:11733 [inline]\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\n __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723\n [...]\n\nFreed by task 14445:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\n kasan_set_track+0x24/0x34 mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358\n __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437\n __kasan_slab_free mm/kasan/common.c:445 [inline]\n kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446\n slab_free_hook mm/slub.c:1569 [inline]\n slab_free_freelist_hook mm/slub.c:1608 [inline]\n slab_free mm/slub.c:3179 [inline]\n kfree+0x12c/0xc10 mm/slub.c:4176\n perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434\n perf_event_alloc kernel/events/core.c:11733 [inline]\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\n [...]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T14:10:35.815Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ea5f2fd4640ecbb9df969bf8bb27733ae2183169"
        },
        {
          "url": "https://git.kernel.org/stable/c/88561a66777e7a2fe06638c6dcb22a9fae0b6733"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e792b89e6800cd9cb4757a76a96f7ef3e8b6294"
        }
      ],
      "title": "ftrace: Fix use-after-free for dynamic ftrace_ops",
      "x_generator": {
        "engine": "bippy-1.1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49892",
    "datePublished": "2025-05-01T14:10:35.815Z",
    "dateReserved": "2025-05-01T14:05:17.243Z",
    "dateUpdated": "2025-05-01T14:10:35.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49892\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:14.210\",\"lastModified\":\"2025-05-01T15:16:14.210\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nftrace: Fix use-after-free for dynamic ftrace_ops\\n\\nKASAN reported a use-after-free with ftrace ops [1]. It was found from\\nvmcore that perf had registered two ops with the same content\\nsuccessively, both dynamic. After unregistering the second ops, a\\nuse-after-free occurred.\\n\\nIn ftrace_shutdown(), when the second ops is unregistered, the\\nFTRACE_UPDATE_CALLS command is not set because there is another enabled\\nops with the same content.  Also, both ops are dynamic and the ftrace\\ncallback function is ftrace_ops_list_func, so the\\nFTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value\\nof \u0027command\u0027 will be 0 and ftrace_shutdown() will skip the rcu\\nsynchronization.\\n\\nHowever, ftrace may be activated. When the ops is released, another CPU\\nmay be accessing the ops.  Add the missing synchronization to fix this\\nproblem.\\n\\n[1]\\nBUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\\nBUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\\nRead of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468\\n\\nCPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7\\nHardware name: linux,dummy-virt (DT)\\nCall trace:\\n dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132\\n show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196\\n __dump_stack lib/dump_stack.c:77 [inline]\\n dump_stack+0x1b4/0x248 lib/dump_stack.c:118\\n print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387\\n __kasan_report mm/kasan/report.c:547 [inline]\\n kasan_report+0x118/0x210 mm/kasan/report.c:564\\n check_memory_region_inline mm/kasan/generic.c:187 [inline]\\n __asan_load8+0x98/0xc0 mm/kasan/generic.c:253\\n __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\\n ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\\n ftrace_graph_call+0x0/0x4\\n __might_sleep+0x8/0x100 include/linux/perf_event.h:1170\\n __might_fault mm/memory.c:5183 [inline]\\n __might_fault+0x58/0x70 mm/memory.c:5171\\n do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]\\n strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139\\n getname_flags+0xb0/0x31c fs/namei.c:149\\n getname+0x2c/0x40 fs/namei.c:209\\n [...]\\n\\nAllocated by task 14445:\\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\\n kasan_set_track mm/kasan/common.c:56 [inline]\\n __kasan_kmalloc mm/kasan/common.c:479 [inline]\\n __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449\\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493\\n kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950\\n kmalloc include/linux/slab.h:563 [inline]\\n kzalloc include/linux/slab.h:675 [inline]\\n perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230\\n perf_event_alloc kernel/events/core.c:11733 [inline]\\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\\n __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723\\n [...]\\n\\nFreed by task 14445:\\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\\n kasan_set_track+0x24/0x34 mm/kasan/common.c:56\\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358\\n __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437\\n __kasan_slab_free mm/kasan/common.c:445 [inline]\\n kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446\\n slab_free_hook mm/slub.c:1569 [inline]\\n slab_free_freelist_hook mm/slub.c:1608 [inline]\\n slab_free mm/slub.c:3179 [inline]\\n kfree+0x12c/0xc10 mm/slub.c:4176\\n perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434\\n perf_event_alloc kernel/events/core.c:11733 [inline]\\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\\n [...]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e792b89e6800cd9cb4757a76a96f7ef3e8b6294\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/88561a66777e7a2fe06638c6dcb22a9fae0b6733\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ea5f2fd4640ecbb9df969bf8bb27733ae2183169\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.