CVE-2022-48922 (GCVE-0-2022-48922)

Vulnerability from cvelistv5 – Published: 2024-08-22 01:32 – Updated: 2026-05-11 18:49
VLAI
Title
riscv: fix oops caused by irqsoff latency tracer
Summary
In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601][ T0] ra : restore_all+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 3c46979829824da5af8766d89fa877976bdae884 , < 9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3 (git)
Affected: 3c46979829824da5af8766d89fa877976bdae884 , < 1851b9a467065b18ec2cba156eea345206df1c8f (git)
Affected: 3c46979829824da5af8766d89fa877976bdae884 , < b5e180490db4af8c0f80c4b65ee482d333d0e8ee (git)
Affected: 3c46979829824da5af8766d89fa877976bdae884 , < 22e2100b1b07d6f5acc71cc1acb53f680c677d77 (git)
Create a notification for this product.
Linux Linux Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.103 , ≤ 5.10.* (semver)
Unaffected: 5.15.26 , ≤ 5.15.* (semver)
Unaffected: 5.16.12 , ≤ 5.16.* (semver)
Unaffected: 5.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48922",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:33:25.364852Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:00.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/Makefile",
            "arch/riscv/kernel/entry.S",
            "arch/riscv/kernel/trace_irq.c",
            "arch/riscv/kernel/trace_irq.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3",
              "status": "affected",
              "version": "3c46979829824da5af8766d89fa877976bdae884",
              "versionType": "git"
            },
            {
              "lessThan": "1851b9a467065b18ec2cba156eea345206df1c8f",
              "status": "affected",
              "version": "3c46979829824da5af8766d89fa877976bdae884",
              "versionType": "git"
            },
            {
              "lessThan": "b5e180490db4af8c0f80c4b65ee482d333d0e8ee",
              "status": "affected",
              "version": "3c46979829824da5af8766d89fa877976bdae884",
              "versionType": "git"
            },
            {
              "lessThan": "22e2100b1b07d6f5acc71cc1acb53f680c677d77",
              "status": "affected",
              "version": "3c46979829824da5af8766d89fa877976bdae884",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/Makefile",
            "arch/riscv/kernel/entry.S",
            "arch/riscv/kernel/trace_irq.c",
            "arch/riscv/kernel/trace_irq.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.103",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.26",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.12",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix oops caused by irqsoff latency tracer\n\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\nproperly. This because these two functions use macro \u0027CALLER_ADDR1\u0027 (aka.\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\nfor other purpose, the code generated this macro (as below) could trigger\nmemory access fault.\n\n   0xffffffff8011510e \u003c+80\u003e:    ld      a1,-16(s0)\n   0xffffffff80115112 \u003c+84\u003e:    ld      s2,-8(a1)  # \u003c-- paging fault here\n\nThe oops message during booting if compiled with \u0027irqoff\u0027 tracer enabled:\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\n[    0.041925][    T0] Oops [#1]\n[    0.042063][    T0] Modules linked in:\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\n[    0.046402][    T0] [\u003cffffffff80003b94\u003e] restore_all+0x12/0x6e\n\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\nassembly entry code.\n\n\tresume_kernel:\n\t\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\n\t\tbnez s0, restore_all\n\t\tREG_L s0, TASK_TI_FLAGS(tp)\n                andi s0, s0, _TIF_NEED_RESCHED\n                beqz s0, restore_all\n                call preempt_schedule_irq\n                j restore_all\n\nTo fix above issue, here we add one extra level wrapper for function\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\ncode."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T18:49:44.802Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77"
        }
      ],
      "title": "riscv: fix oops caused by irqsoff latency tracer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48922",
    "datePublished": "2024-08-22T01:32:55.803Z",
    "dateReserved": "2024-08-21T06:06:23.295Z",
    "dateUpdated": "2026-05-11T18:49:44.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-48922",
      "date": "2026-05-27",
      "epss": "0.00033",
      "percentile": "0.09854"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.9\", \"versionEndExcluding\": \"5.10.103\", \"matchCriteriaId\": \"7144C576-97DF-4D5F-B88F-F55AF9826BF5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.15.26\", \"matchCriteriaId\": \"9AB342AE-A62E-4947-A6EA-511453062B2B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"5.16.12\", \"matchCriteriaId\": \"C76BAB21-7F23-4AD8-A25F-CA7B262A2698\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"E6E34B23-78B4-4516-9BD8-61B33F4AC49A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2D2677C-5389-4AE9-869D-0F881E80D923\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFA3917C-C322-4D92-912D-ECE45B2E7416\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: fix oops caused by irqsoff latency tracer\\n\\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\\nproperly. This because these two functions use macro \u0027CALLER_ADDR1\u0027 (aka.\\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\\nfor other purpose, the code generated this macro (as below) could trigger\\nmemory access fault.\\n\\n   0xffffffff8011510e \u003c+80\u003e:    ld      a1,-16(s0)\\n   0xffffffff80115112 \u003c+84\u003e:    ld      s2,-8(a1)  # \u003c-- paging fault here\\n\\nThe oops message during booting if compiled with \u0027irqoff\u0027 tracer enabled:\\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\\n[    0.041925][    T0] Oops [#1]\\n[    0.042063][    T0] Modules linked in:\\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\\n[    0.046402][    T0] [\u003cffffffff80003b94\u003e] restore_all+0x12/0x6e\\n\\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\\nassembly entry code.\\n\\n\\tresume_kernel:\\n\\t\\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\\n\\t\\tbnez s0, restore_all\\n\\t\\tREG_L s0, TASK_TI_FLAGS(tp)\\n                andi s0, s0, _TIF_NEED_RESCHED\\n                beqz s0, restore_all\\n                call preempt_schedule_irq\\n                j restore_all\\n\\nTo fix above issue, here we add one extra level wrapper for function\\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\\ncode.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: corrige los errores causados por el rastreador de latencia irqsoff trace_hardirqs_{on,off}() requiere que la persona que llama configure el puntero del marco correctamente. Esto se debe a que estas dos funciones utilizan la macro \u0027CALLER_ADDR1\u0027 (tambi\\u00e9n conocida como __builtin_return_address(1)) para adquirir informaci\\u00f3n de la persona que llama. Si $fp se usa para otro prop\\u00f3sito, el c\\u00f3digo generado en esta macro (como se muestra a continuaci\\u00f3n) podr\\u00eda provocar una falla de acceso a la memoria. 0xffffffff8011510e \u0026lt;+80\u0026gt;: ld a1,-16(s0) 0xffffffff80115112 \u0026lt;+84\u0026gt;: ld s2,-8(a1) # \u0026lt;-- error de paginaci\\u00f3n aqu\\u00ed El mensaje de ups durante el arranque si se compila con el rastreador \u0027irqoff\u0027 habilitado: [ 0.039615][T0] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\\u00f3n virtual 00000000000000f8 [0.041925][T0] Ups [#1] [0.042063][T0] M\\u00f3dulos vinculados en: [0.042864][T0] CPU: 0 PID: 0 Comm : swapper/0 No contaminado 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Nombre de hardware: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601] [T0] ra: restaurar_all+0x12/0x6e [0.044721][T0] epc: ffffffff80126a5c ra: ffffffff80003b94 sp: ffffffff81403db0 [0.044801][T0] gp: ffffffff8163acd8 tp: ffffffff81414880 t0: 0000000000000020 [0.044882][T0] t1: 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2: 0000000000000000 a3: 0000000000000000 a4: 0000000000000000 [0.045124][T0] a5: 00000000000000000 a6: 0000000000000000 a7: 000000 0054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 00000000000000000 [ 0.045474][ T0 ] s11: 0000000000000000 t3: 7ffffffffffffff t4: 0000000000000000 [0.045548][T0] t5: 0000000000000000 t6: ffffffff814aa368 [0.045620][T0] 0000000200000100 badaddr: 00000000000000f8 causa: 000000000000000d [ 0.046402][ T0] [] restaurar_todo+ 0x12/0x6e Esto porque el $fp(aka. $s0) el registro no se utiliza como puntero de marco en el c\\u00f3digo de entrada del ensamblado. resume_kernel: reg_l s0, task_ti_preempt_count (tp) bnez s0, restaure_all reg_l s0, task_ti_flags (tp) andi s0, s0, _tif_need_resched beqz s0, restaure_all call preempt_schedul S_ { on,off}() para que puedan ser llamados de forma segura mediante un c\\u00f3digo de entrada de bajo nivel.\"}]",
      "id": "CVE-2022-48922",
      "lastModified": "2024-09-12T12:52:54.023",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-08-22T02:15:08.267",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-476\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48922\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-22T02:15:08.267\",\"lastModified\":\"2024-09-12T12:52:54.023\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: fix oops caused by irqsoff latency tracer\\n\\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\\nproperly. This because these two functions use macro \u0027CALLER_ADDR1\u0027 (aka.\\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\\nfor other purpose, the code generated this macro (as below) could trigger\\nmemory access fault.\\n\\n   0xffffffff8011510e \u003c+80\u003e:    ld      a1,-16(s0)\\n   0xffffffff80115112 \u003c+84\u003e:    ld      s2,-8(a1)  # \u003c-- paging fault here\\n\\nThe oops message during booting if compiled with \u0027irqoff\u0027 tracer enabled:\\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\\n[    0.041925][    T0] Oops [#1]\\n[    0.042063][    T0] Modules linked in:\\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\\n[    0.046402][    T0] [\u003cffffffff80003b94\u003e] restore_all+0x12/0x6e\\n\\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\\nassembly entry code.\\n\\n\\tresume_kernel:\\n\\t\\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\\n\\t\\tbnez s0, restore_all\\n\\t\\tREG_L s0, TASK_TI_FLAGS(tp)\\n                andi s0, s0, _TIF_NEED_RESCHED\\n                beqz s0, restore_all\\n                call preempt_schedule_irq\\n                j restore_all\\n\\nTo fix above issue, here we add one extra level wrapper for function\\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\\ncode.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: corrige los errores causados por el rastreador de latencia irqsoff trace_hardirqs_{on,off}() requiere que la persona que llama configure el puntero del marco correctamente. Esto se debe a que estas dos funciones utilizan la macro \u0027CALLER_ADDR1\u0027 (tambi\u00e9n conocida como __builtin_return_address(1)) para adquirir informaci\u00f3n de la persona que llama. Si $fp se usa para otro prop\u00f3sito, el c\u00f3digo generado en esta macro (como se muestra a continuaci\u00f3n) podr\u00eda provocar una falla de acceso a la memoria. 0xffffffff8011510e \u0026lt;+80\u0026gt;: ld a1,-16(s0) 0xffffffff80115112 \u0026lt;+84\u0026gt;: ld s2,-8(a1) # \u0026lt;-- error de paginaci\u00f3n aqu\u00ed El mensaje de ups durante el arranque si se compila con el rastreador \u0027irqoff\u0027 habilitado: [ 0.039615][T0] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000000000000f8 [0.041925][T0] Ups [#1] [0.042063][T0] M\u00f3dulos vinculados en: [0.042864][T0] CPU: 0 PID: 0 Comm : swapper/0 No contaminado 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Nombre de hardware: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601] [T0] ra: restaurar_all+0x12/0x6e [0.044721][T0] epc: ffffffff80126a5c ra: ffffffff80003b94 sp: ffffffff81403db0 [0.044801][T0] gp: ffffffff8163acd8 tp: ffffffff81414880 t0: 0000000000000020 [0.044882][T0] t1: 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2: 0000000000000000 a3: 0000000000000000 a4: 0000000000000000 [0.045124][T0] a5: 00000000000000000 a6: 0000000000000000 a7: 000000 0054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 00000000000000000 [ 0.045474][ T0 ] s11: 0000000000000000 t3: 7ffffffffffffff t4: 0000000000000000 [0.045548][T0] t5: 0000000000000000 t6: ffffffff814aa368 [0.045620][T0] 0000000200000100 badaddr: 00000000000000f8 causa: 000000000000000d [ 0.046402][ T0] [] restaurar_todo+ 0x12/0x6e Esto porque el $fp(aka. $s0) el registro no se utiliza como puntero de marco en el c\u00f3digo de entrada del ensamblado. resume_kernel: reg_l s0, task_ti_preempt_count (tp) bnez s0, restaure_all reg_l s0, task_ti_flags (tp) andi s0, s0, _tif_need_resched beqz s0, restaure_all call preempt_schedul S_ { on,off}() para que puedan ser llamados de forma segura mediante un c\u00f3digo de entrada de bajo nivel.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.9\",\"versionEndExcluding\":\"5.10.103\",\"matchCriteriaId\":\"7144C576-97DF-4D5F-B88F-F55AF9826BF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.26\",\"matchCriteriaId\":\"9AB342AE-A62E-4947-A6EA-511453062B2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.12\",\"matchCriteriaId\":\"C76BAB21-7F23-4AD8-A25F-CA7B262A2698\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6E34B23-78B4-4516-9BD8-61B33F4AC49A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2D2677C-5389-4AE9-869D-0F881E80D923\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFA3917C-C322-4D92-912D-ECE45B2E7416\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48922\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:33:25.364852Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:12.742Z\"}}], \"cna\": {\"title\": \"riscv: fix oops caused by irqsoff latency tracer\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3c4697982982\", \"lessThan\": \"9e2dbc31e367\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3c4697982982\", \"lessThan\": \"1851b9a46706\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3c4697982982\", \"lessThan\": \"b5e180490db4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3c4697982982\", \"lessThan\": \"22e2100b1b07\", \"versionType\": \"git\"}], \"programFiles\": [\"arch/riscv/kernel/Makefile\", \"arch/riscv/kernel/entry.S\", \"arch/riscv/kernel/trace_irq.c\", \"arch/riscv/kernel/trace_irq.h\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.9\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.9\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"5.10.103\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.26\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.12\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"arch/riscv/kernel/Makefile\", \"arch/riscv/kernel/entry.S\", \"arch/riscv/kernel/trace_irq.c\", \"arch/riscv/kernel/trace_irq.h\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3\"}, {\"url\": \"https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f\"}, {\"url\": \"https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee\"}, {\"url\": \"https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77\"}], \"x_generator\": {\"engine\": \"bippy-c9c4e1df01b2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: fix oops caused by irqsoff latency tracer\\n\\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\\nproperly. This because these two functions use macro \u0027CALLER_ADDR1\u0027 (aka.\\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\\nfor other purpose, the code generated this macro (as below) could trigger\\nmemory access fault.\\n\\n   0xffffffff8011510e \u003c+80\u003e:    ld      a1,-16(s0)\\n   0xffffffff80115112 \u003c+84\u003e:    ld      s2,-8(a1)  # \u003c-- paging fault here\\n\\nThe oops message during booting if compiled with \u0027irqoff\u0027 tracer enabled:\\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\\n[    0.041925][    T0] Oops [#1]\\n[    0.042063][    T0] Modules linked in:\\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\\n[    0.046402][    T0] [\u003cffffffff80003b94\u003e] restore_all+0x12/0x6e\\n\\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\\nassembly entry code.\\n\\n\\tresume_kernel:\\n\\t\\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\\n\\t\\tbnez s0, restore_all\\n\\t\\tREG_L s0, TASK_TI_FLAGS(tp)\\n                andi s0, s0, _TIF_NEED_RESCHED\\n                beqz s0, restore_all\\n                call preempt_schedule_irq\\n                j restore_all\\n\\nTo fix above issue, here we add one extra level wrapper for function\\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\\ncode.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-08-22T03:31:10.831Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48922\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-12T17:33:00.926Z\", \"dateReserved\": \"2024-08-21T06:06:23.295Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-22T01:32:55.803Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.