GHSA-3RMF-XHH6-VPWJ

Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-09 03:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()

I found a null pointer reference in arch_prepare_kprobe():

# echo 'p cmdline_proc_show' > kprobe_events # echo 'p cmdline_proc_show+16' >> kprobe_events Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 CR: 44002408 XER: 00000000

The address being probed has some special:

cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location

The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for:

... prev = get_kprobe(p->addr - 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ...

If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped.

Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem.

[mpe: Trim oops]

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50635"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T01:16:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n  # echo \u0027p cmdline_proc_show\u0027 \u003e kprobe_events\n  # echo \u0027p cmdline_proc_show+16\u0027 \u003e\u003e kprobe_events\n  Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n  BUG: Kernel NULL pointer dereference on read at 0x00000000\n  Faulting instruction address: 0xc000000000050bfc\n  Oops: Kernel access of bad area, sig: 11 [#1]\n  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n  Modules linked in:\n  CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n  NIP:  c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n  REGS: c0000000348475b0 TRAP: 0300   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\n  MSR:  9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e  CR: 88002444  XER: 20040006\n  CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n  ...\n  NIP arch_prepare_kprobe+0x10c/0x2d0\n  LR  arch_prepare_kprobe+0xfc/0x2d0\n  Call Trace:\n    0xc0000000012f77a0 (unreliable)\n    register_kprobe+0x3c0/0x7a0\n    __register_trace_kprobe+0x140/0x1a0\n    __trace_kprobe_create+0x794/0x1040\n    trace_probe_create+0xc4/0xe0\n    create_or_delete_trace_kprobe+0x2c/0x80\n    trace_parse_run_command+0xf0/0x210\n    probes_write+0x20/0x40\n    vfs_write+0xfc/0x450\n    ksys_write+0x84/0x140\n    system_call_exception+0x17c/0x3a0\n    system_call_vectored_common+0xe8/0x278\n  --- interrupt: 3000 at 0x7fffa5682de0\n  NIP:  00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n  REGS: c000000034847e80 TRAP: 3000   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\n  MSR:  900000000280f033 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE\u003e  CR: 44002408  XER: 00000000\n\nThe address being probed has some special:\n\n  cmdline_proc_show: Probe based on ftrace\n  cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n  ...\n  prev = get_kprobe(p-\u003eaddr - 1);\n  preempt_enable_no_resched();\n  if (prev \u0026\u0026 ppc_inst_prefixed(ppc_inst_read(prev-\u003eainsn.insn))) {\n  ...\n\nIf prev is based on ftrace, \u0027ppc_inst_read(prev-\u003eainsn.insn)\u0027 will occur\nwith a null pointer reference. At this point prev-\u003eaddr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading \u0027prev-\u003eainsn.insn\u0027\nto fix this problem.\n\n[mpe: Trim oops]",
  "id": "GHSA-3rmf-xhh6-vpwj",
  "modified": "2025-12-09T03:31:09Z",
  "published": "2025-12-09T03:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50635"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.