CVE-2022-50078

In the Linux kernel, the following vulnerability has been resolved:

tracing/eprobes: Do not allow eprobes to use $stack, or % for regs

While playing with event probes (eprobes), I tried to see what would happen if I attempted to retrieve the instruction pointer (%rip) knowing that event probes do not use pt_regs. The result was:

BUG: kernel NULL pointer dereference, address: 0000000000000024 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 1847 Comm: trace-cmd Not tainted 5.19.0-rc5-test+ #309 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 RIP: 0010:geteventfield.isra.0+0x0/0x50 Code: ff 48 c7 c7 c0 8f 74 a1 e8 3d 8b f5 ff e8 88 09 f6 ff 4c 89 e7 e8 50 6a 13 00 48 89 ef 5b 5d 41 5c 41 5d e9 42 6a 13 00 66 90 <48> 63 47 24 8b 57 2c 48 01 c6 8b 47 28 83 f8 02 74 0e 83 f8 04 74 RSP: 0018:ffff916c394bbaf0 EFLAGS: 00010086 RAX: ffff916c854041d8 RBX: ffff916c8d9fbf50 RCX: ffff916c255d2000 RDX: 0000000000000000 RSI: ffff916c255d2008 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff916c3a2a0c08 R09: ffff916c394bbda8 R10: 0000000000000000 R11: 0000000000000000 R12: ffff916c854041d8 R13: ffff916c854041b0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff916c9ea40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000024 CR3: 000000011b60a002 CR4: 00000000001706e0 Call Trace: <TASK> geteprobesize+0xb4/0x640 ? _modnodepagestate+0x72/0xc0 _eprobetracefunc+0x59/0x1a0 ? _modlruvecpagestate+0xaa/0x1b0 ? pageremovefilermap+0x14/0x230 ? pageremovermap+0xda/0x170 eventtriggerscall+0x52/0xe0 traceeventbuffercommit+0x18f/0x240 traceeventraweventschedwakeuptemplate+0x7a/0xb0 trytowakeup+0x260/0x4c0 _wakeupcommon+0x80/0x180 _wakeupcommonlock+0x7c/0xc0 donotifyparent+0x1c9/0x2a0 exitnotify+0x1a9/0x220 doexit+0x2ba/0x450 dogroupexit+0x2d/0x90 _x64sysexitgroup+0x14/0x20 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x46/0xb0

Obviously this is not the desired result.

Move the testing for TPARGFLTPOINT which is only used for event probes to the top of the "$" variable check, as all the other variables are not used for event probes. Also add a check in the register parsing "%" to fail if an event probe is used.