CVE-2022-49402

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Clean up hash direct_functions on register failures<br /> <br /> We see the following GPF when register_ftrace_direct fails:<br /> <br /> [ ] general protection fault, probably for non-canonical address \<br /> 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI<br /> [...]<br /> [ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70<br /> [ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...]<br /> [ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206<br /> [ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b<br /> [ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0<br /> [ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001<br /> [ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0<br /> [ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000<br /> [ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000<br /> [ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0<br /> [ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ ] Call Trace:<br /> [ ] <br /> [ ] register_ftrace_direct+0x54/0x290<br /> [ ] ? render_sigset_t+0xa0/0xa0<br /> [ ] bpf_trampoline_update+0x3f5/0x4a0<br /> [ ] ? 0xffffffffa00a3000<br /> [ ] bpf_trampoline_link_prog+0xa9/0x140<br /> [ ] bpf_tracing_prog_attach+0x1dc/0x450<br /> [ ] bpf_raw_tracepoint_open+0x9a/0x1e0<br /> [ ] ? find_held_lock+0x2d/0x90<br /> [ ] ? lock_release+0x150/0x430<br /> [ ] __sys_bpf+0xbd6/0x2700<br /> [ ] ? lock_is_held_type+0xd8/0x130<br /> [ ] __x64_sys_bpf+0x1c/0x20<br /> [ ] do_syscall_64+0x3a/0x80<br /> [ ] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ ] RIP: 0033:0x7fa9421defa9<br /> [ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...]<br /> [ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141<br /> [ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9<br /> [ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011<br /> [ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000<br /> [ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001<br /> [ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001<br /> [ ] <br /> [ ] Modules linked in: klp_vm(OK)<br /> [ ] ---[ end trace 0000000000000000 ]---<br /> <br /> One way to trigger this is:<br /> 1. load a livepatch that patches kernel function xxx;<br /> 2. run bpftrace -e &amp;#39;kfunc:xxx {}&amp;#39;, this will fail (expected for now);<br /> 3. repeat #2 =&gt; gpf.<br /> <br /> This is because the entry is added to direct_functions, but not removed.<br /> Fix this by remove the entry from direct_functions when<br /> register_ftrace_direct fails.<br /> <br /> Also remove the last trailing space from ftrace.c, so we don&amp;#39;t have to<br /> worry about it anymore.