CVE-2022-50078

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/eprobes: Do not allow eprobes to use $stack, or % for regs<br /> <br /> While playing with event probes (eprobes), I tried to see what would<br /> happen if I attempted to retrieve the instruction pointer (%rip) knowing<br /> that event probes do not use pt_regs. The result was:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000024<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 1847 Comm: trace-cmd Not tainted 5.19.0-rc5-test+ #309<br /> Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01<br /> v03.03 07/14/2016<br /> RIP: 0010:get_event_field.isra.0+0x0/0x50<br /> Code: ff 48 c7 c7 c0 8f 74 a1 e8 3d 8b f5 ff e8 88 09 f6 ff 4c 89 e7 e8<br /> 50 6a 13 00 48 89 ef 5b 5d 41 5c 41 5d e9 42 6a 13 00 66 90 63 47 24<br /> 8b 57 2c 48 01 c6 8b 47 28 83 f8 02 74 0e 83 f8 04 74<br /> RSP: 0018:ffff916c394bbaf0 EFLAGS: 00010086<br /> RAX: ffff916c854041d8 RBX: ffff916c8d9fbf50 RCX: ffff916c255d2000<br /> RDX: 0000000000000000 RSI: ffff916c255d2008 RDI: 0000000000000000<br /> RBP: 0000000000000000 R08: ffff916c3a2a0c08 R09: ffff916c394bbda8<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff916c854041d8<br /> R13: ffff916c854041b0 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff916c9ea40000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000024 CR3: 000000011b60a002 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> get_eprobe_size+0xb4/0x640<br /> ? __mod_node_page_state+0x72/0xc0<br /> __eprobe_trace_func+0x59/0x1a0<br /> ? __mod_lruvec_page_state+0xaa/0x1b0<br /> ? page_remove_file_rmap+0x14/0x230<br /> ? page_remove_rmap+0xda/0x170<br /> event_triggers_call+0x52/0xe0<br /> trace_event_buffer_commit+0x18f/0x240<br /> trace_event_raw_event_sched_wakeup_template+0x7a/0xb0<br /> try_to_wake_up+0x260/0x4c0<br /> __wake_up_common+0x80/0x180<br /> __wake_up_common_lock+0x7c/0xc0<br /> do_notify_parent+0x1c9/0x2a0<br /> exit_notify+0x1a9/0x220<br /> do_exit+0x2ba/0x450<br /> do_group_exit+0x2d/0x90<br /> __x64_sys_exit_group+0x14/0x20<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> Obviously this is not the desired result.<br /> <br /> Move the testing for TPARG_FL_TPOINT which is only used for event probes<br /> to the top of the "$" variable check, as all the other variables are not<br /> used for event probes. Also add a check in the register parsing "%" to<br /> fail if an event probe is used.