CVE-2022-49799

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix wild-memory-access in register_synth_event()<br /> <br /> In register_synth_event(), if set_synth_event_print_fmt() failed, then<br /> both trace_remove_event_call() and unregister_trace_event() will be<br /> called, which means the trace_event_call will call<br /> __unregister_trace_event() twice. As the result, the second unregister<br /> will causes the wild-memory-access.<br /> <br /> register_synth_event<br /> set_synth_event_print_fmt failed<br /> trace_remove_event_call<br /> event_remove<br /> if call-&gt;event.funcs then<br /> __unregister_trace_event (first call)<br /> unregister_trace_event<br /> __unregister_trace_event (second call)<br /> <br /> Fix the bug by avoiding to call the second __unregister_trace_event() by<br /> checking if the first one is called.<br /> <br /> general protection fault, probably for non-canonical address<br /> 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI<br /> KASAN: maybe wild-memory-access in range<br /> [0xdead000000000120-0xdead000000000127]<br /> CPU: 0 PID: 3807 Comm: modprobe Not tainted<br /> 6.1.0-rc1-00186-g76f33a7eedb4 #299<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:unregister_trace_event+0x6e/0x280<br /> Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48<br /> b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 3c 02<br /> 00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b<br /> RSP: 0018:ffff88810413f370 EFLAGS: 00010a06<br /> RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000<br /> RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20<br /> RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481<br /> R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122<br /> R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028<br /> FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __create_synth_event+0x1e37/0x1eb0<br /> create_or_delete_synth_event+0x110/0x250<br /> synth_event_run_command+0x2f/0x110<br /> test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]<br /> synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]<br /> do_one_initcall+0xdb/0x480<br /> do_init_module+0x1cf/0x680<br /> load_module+0x6a50/0x70a0<br /> __do_sys_finit_module+0x12f/0x1c0<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd