CVE-2022-49889
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
01/05/2025
Last modified:
07/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()<br />
<br />
On some machines the number of listed CPUs may be bigger than the actual<br />
CPUs that exist. The tracing subsystem allocates a per_cpu directory with<br />
access to the per CPU ring buffer via a cpuX file. But to save space, the<br />
ring buffer will only allocate buffers for online CPUs, even though the<br />
CPU array will be as big as the nr_cpu_ids.<br />
<br />
With the addition of waking waiters on the ring buffer when closing the<br />
file, the ring_buffer_wake_waiters() now needs to make sure that the<br />
buffer is allocated (with the irq_work allocated with it) before trying to<br />
wake waiters, as it will cause a NULL pointer dereference.<br />
<br />
While debugging this, I added a NULL check for the buffer itself (which is<br />
OK to do), and also NULL pointer checks against buffer->buffers (which is<br />
not fine, and will WARN) as well as making sure the CPU number passed in<br />
is within the nr_cpu_ids (which is also not fine if it isn&#39;t).<br />
<br />
<br />
Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.75 (including) | 5.15.78 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19.17 (including) | 6.0 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.0.3 (including) | 6.0.8 (excluding) |
To consult the complete list of CPE names with products and versions, see this page