CVE-2022-48922
- Source
- https://cve.org/CVERecord?id=CVE-2022-48922
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48922.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48922
- Downstream
- Published
- 2024-08-22T01:32:55.803Z
- Modified
- 2026-04-02T08:27:08.751369Z
- Summary
- riscv: fix oops caused by irqsoff latency tracer
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
riscv: fix oops caused by irqsoff latency tracer
The tracehardirqs{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtinreturnaddress(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault.
0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here
The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : tracehardirqson+0x56/0xe2 [ 0.044601][ T0] ra : restoreall+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restoreall+0x12/0x6e
This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code.
resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_allTo fix above issue, here we add one extra level wrapper for function tracehardirqs{on,off}() so they can be safely called by low level entry code.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48922.json" }- References
-
- https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f
- https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77
- https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3
- https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48922.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-48922
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3c46979829824da5af8766d89fa877976bdae884Fixed9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3Fixed1851b9a467065b18ec2cba156eea345206df1c8fFixedb5e180490db4af8c0f80c4b65ee482d333d0e8eeFixed22e2100b1b07d6f5acc71cc1acb53f680c677d77