{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48922","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-08-21T06:06:23.295Z","datePublished":"2024-08-22T01:32:55.803Z","dateUpdated":"2025-05-04T08:26:09.859Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:26:09.859Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix oops caused by irqsoff latency tracer\n\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\nproperly. This because these two functions use macro 'CALLER_ADDR1' (aka.\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\nfor other purpose, the code generated this macro (as below) could trigger\nmemory access fault.\n\n   0xffffffff8011510e <+80>:    ld      a1,-16(s0)\n   0xffffffff80115112 <+84>:    ld      s2,-8(a1)  # <-- paging fault here\n\nThe oops message during booting if compiled with 'irqoff' tracer enabled:\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\n[    0.041925][    T0] Oops [#1]\n[    0.042063][    T0] Modules linked in:\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\n[    0.046402][    T0] [<ffffffff80003b94>] restore_all+0x12/0x6e\n\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\nassembly entry code.\n\n\tresume_kernel:\n\t\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\n\t\tbnez s0, restore_all\n\t\tREG_L s0, TASK_TI_FLAGS(tp)\n                andi s0, s0, _TIF_NEED_RESCHED\n                beqz s0, restore_all\n                call preempt_schedule_irq\n                j restore_all\n\nTo fix above issue, here we add one extra level wrapper for function\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\ncode."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/kernel/Makefile","arch/riscv/kernel/entry.S","arch/riscv/kernel/trace_irq.c","arch/riscv/kernel/trace_irq.h"],"versions":[{"version":"3c46979829824da5af8766d89fa877976bdae884","lessThan":"9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3","status":"affected","versionType":"git"},{"version":"3c46979829824da5af8766d89fa877976bdae884","lessThan":"1851b9a467065b18ec2cba156eea345206df1c8f","status":"affected","versionType":"git"},{"version":"3c46979829824da5af8766d89fa877976bdae884","lessThan":"b5e180490db4af8c0f80c4b65ee482d333d0e8ee","status":"affected","versionType":"git"},{"version":"3c46979829824da5af8766d89fa877976bdae884","lessThan":"22e2100b1b07d6f5acc71cc1acb53f680c677d77","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/kernel/Makefile","arch/riscv/kernel/entry.S","arch/riscv/kernel/trace_irq.c","arch/riscv/kernel/trace_irq.h"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.10.103","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.26","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.12","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.16.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3"},{"url":"https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f"},{"url":"https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee"},{"url":"https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77"}],"title":"riscv: fix oops caused by irqsoff latency tracer","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48922","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:33:25.364852Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-12T17:33:00.926Z"}}]}}