cve-2022-48713
Vulnerability from cvelistv5
Published
2024-06-20 11:13
Modified
2024-12-19 08:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fix crash with stop filters in single-range mode Add a check for !buf->single before calling pt_buffer_region_size in a place where a missing check can cause a kernel crash. Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt: Opportunistically use single range output mode"), which added a support for PT single-range output mode. Since that commit if a PT stop filter range is hit while tracing, the kernel will crash because of a null pointer dereference in pt_handle_status due to calling pt_buffer_region_size without a ToPA configured. The commit which introduced single-range mode guarded almost all uses of the ToPA buffer variables with checks of the buf->single variable, but missed the case where tracing was stopped by the PT hardware, which happens when execution hits a configured stop filter. Tested that hitting a stop filter while PT recording successfully records a trace with this patch but crashes without this patch.
Impacted products
Vendor Product Version
Linux Linux Version: 5.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48713",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T15:57:49.148833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-20T15:58:11.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.875Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/456f041e035913fcedb275aff6f8a71dfebcd394"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e83d941fd3445f660d2f43647c580a320cc384f6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/feffb6ae2c80b9a8206450cdef90f5943baced99"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1d9093457b243061a9bba23543c38726e864a643"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/pt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "456f041e035913fcedb275aff6f8a71dfebcd394",
              "status": "affected",
              "version": "670638477aede0d7a355ced04b569214aa3feacd",
              "versionType": "git"
            },
            {
              "lessThan": "e83d941fd3445f660d2f43647c580a320cc384f6",
              "status": "affected",
              "version": "670638477aede0d7a355ced04b569214aa3feacd",
              "versionType": "git"
            },
            {
              "lessThan": "feffb6ae2c80b9a8206450cdef90f5943baced99",
              "status": "affected",
              "version": "670638477aede0d7a355ced04b569214aa3feacd",
              "versionType": "git"
            },
            {
              "lessThan": "1d9093457b243061a9bba23543c38726e864a643",
              "status": "affected",
              "version": "670638477aede0d7a355ced04b569214aa3feacd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/pt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/pt: Fix crash with stop filters in single-range mode\n\nAdd a check for !buf-\u003esingle before calling pt_buffer_region_size in a\nplace where a missing check can cause a kernel crash.\n\nFixes a bug introduced by commit 670638477aed (\"perf/x86/intel/pt:\nOpportunistically use single range output mode\"), which added a\nsupport for PT single-range output mode. Since that commit if a PT\nstop filter range is hit while tracing, the kernel will crash because\nof a null pointer dereference in pt_handle_status due to calling\npt_buffer_region_size without a ToPA configured.\n\nThe commit which introduced single-range mode guarded almost all uses of\nthe ToPA buffer variables with checks of the buf-\u003esingle variable, but\nmissed the case where tracing was stopped by the PT hardware, which\nhappens when execution hits a configured stop filter.\n\nTested that hitting a stop filter while PT recording successfully\nrecords a trace with this patch but crashes without this patch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:06:07.840Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/456f041e035913fcedb275aff6f8a71dfebcd394"
        },
        {
          "url": "https://git.kernel.org/stable/c/e83d941fd3445f660d2f43647c580a320cc384f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/feffb6ae2c80b9a8206450cdef90f5943baced99"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d9093457b243061a9bba23543c38726e864a643"
        }
      ],
      "title": "perf/x86/intel/pt: Fix crash with stop filters in single-range mode",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48713",
    "datePublished": "2024-06-20T11:13:07.350Z",
    "dateReserved": "2024-06-20T11:09:39.050Z",
    "dateUpdated": "2024-12-19T08:06:07.840Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48713\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-20T11:15:54.960\",\"lastModified\":\"2024-11-21T07:33:50.593\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/x86/intel/pt: Fix crash with stop filters in single-range mode\\n\\nAdd a check for !buf-\u003esingle before calling pt_buffer_region_size in a\\nplace where a missing check can cause a kernel crash.\\n\\nFixes a bug introduced by commit 670638477aed (\\\"perf/x86/intel/pt:\\nOpportunistically use single range output mode\\\"), which added a\\nsupport for PT single-range output mode. Since that commit if a PT\\nstop filter range is hit while tracing, the kernel will crash because\\nof a null pointer dereference in pt_handle_status due to calling\\npt_buffer_region_size without a ToPA configured.\\n\\nThe commit which introduced single-range mode guarded almost all uses of\\nthe ToPA buffer variables with checks of the buf-\u003esingle variable, but\\nmissed the case where tracing was stopped by the PT hardware, which\\nhappens when execution hits a configured stop filter.\\n\\nTested that hitting a stop filter while PT recording successfully\\nrecords a trace with this patch but crashes without this patch.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel/pt: soluciona el fallo con filtros de parada en modo de rango \u00fanico. A\u00f1ade una marca para !buf-\u0026gt;single antes de llamar a pt_buffer_region_size en un lugar donde una marca faltante puede provocar un fallo del kernel. Corrige un error introducido por el commit 670638477aed (\\\"perf/x86/intel/pt: utilizar de manera oportunista el modo de salida de rango \u00fanico\\\"), que agreg\u00f3 soporte para el modo de salida de rango \u00fanico PT. Desde esa confirmaci\u00f3n, si se alcanza un rango de filtro de parada PT durante el seguimiento, el kernel fallar\u00e1 debido a una desreferencia de puntero nulo en pt_handle_status debido a la llamada a pt_buffer_region_size sin un ToPA configurado. La confirmaci\u00f3n que introdujo el modo de rango \u00fanico protegi\u00f3 casi todos los usos de las variables del b\u00fafer ToPA con comprobaciones de la variable buf-\u0026gt;single, pero omiti\u00f3 el caso en el que el hardware PT detuvo el seguimiento, lo que ocurre cuando la ejecuci\u00f3n llega a un filtro de parada configurado. Se prob\u00f3 que al presionar un filtro de detenci\u00f3n mientras se graba PT se registra exitosamente un seguimiento con este parche, pero falla sin este parche.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d9093457b243061a9bba23543c38726e864a643\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/456f041e035913fcedb275aff6f8a71dfebcd394\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e83d941fd3445f660d2f43647c580a320cc384f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/feffb6ae2c80b9a8206450cdef90f5943baced99\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1d9093457b243061a9bba23543c38726e864a643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/456f041e035913fcedb275aff6f8a71dfebcd394\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e83d941fd3445f660d2f43647c580a320cc384f6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/feffb6ae2c80b9a8206450cdef90f5943baced99\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.