CVE-2022-50635
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50635
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50635.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50635
- Downstream
- Published
- 2025-12-09T00:00:08.590Z
- Modified
- 2025-12-09T03:52:40.442498Z
- Summary
- powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kprobes: Fix null pointer reference in archpreparekprobe()
I found a null pointer reference in archpreparekprobe():
# echo 'p cmdlineprocshow' > kprobeevents # echo 'p cmdlineprocshow+16' >> kprobeevents Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGESIZE=64K MMU=Radix SMP NRCPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP archpreparekprobe+0x10c/0x2d0 LR archpreparekprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) registerkprobe+0x3c0/0x7a0 _registertracekprobe+0x140/0x1a0 _tracekprobecreate+0x794/0x1040 traceprobecreate+0xc4/0xe0 createordeletetracekprobe+0x2c/0x80 traceparseruncommand+0xf0/0x210 probeswrite+0x20/0x40 vfswrite+0xfc/0x450 ksyswrite+0x84/0x140 systemcallexception+0x17c/0x3a0 systemcallvectoredcommon+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000
The address being probed has some special:
cmdlineprocshow: Probe based on ftrace cmdlineprocshow+16: Probe for the next instruction at the ftrace location
The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In archpreparekprobe() it will check for:
... prev = getkprobe(p->addr - 1); preemptenablenoresched(); if (prev && ppcinstprefixed(ppcinstread(prev->ainsn.insn))) { ...
If prev is based on ftrace, 'ppcinstread(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped.
Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem.
[mpe: Trim oops]
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50635.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e
- https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac
- https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813
- https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50635.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-50635
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb4657f7650babc9bfb41ce875abe41b18604a105Fixed7f536a8cb62dd5c084f112373fc34cdb5168a813Fixed4eac4f6a86ae73ef4b772d37398beeba2fbfde4eFixed5fd1b369387c53ee6c774ab86e32e362a1e537acFixed97f88a3d723162781d6cbfdc7b9617eefab55b19