CVE-2022-50635

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()<br /> <br /> I found a null pointer reference in arch_prepare_kprobe():<br /> <br /> # echo &amp;#39;p cmdline_proc_show&amp;#39; &gt; kprobe_events<br /> # echo &amp;#39;p cmdline_proc_show+16&amp;#39; &gt;&gt; kprobe_events<br /> Kernel attempted to read user page (0) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000000<br /> Faulting instruction address: 0xc000000000050bfc<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV<br /> Modules linked in:<br /> CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10<br /> NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc<br /> REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)<br /> MSR: 9000000000009033 CR: 88002444 XER: 20040006<br /> CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0<br /> ...<br /> NIP arch_prepare_kprobe+0x10c/0x2d0<br /> LR arch_prepare_kprobe+0xfc/0x2d0<br /> Call Trace:<br /> 0xc0000000012f77a0 (unreliable)<br /> register_kprobe+0x3c0/0x7a0<br /> __register_trace_kprobe+0x140/0x1a0<br /> __trace_kprobe_create+0x794/0x1040<br /> trace_probe_create+0xc4/0xe0<br /> create_or_delete_trace_kprobe+0x2c/0x80<br /> trace_parse_run_command+0xf0/0x210<br /> probes_write+0x20/0x40<br /> vfs_write+0xfc/0x450<br /> ksys_write+0x84/0x140<br /> system_call_exception+0x17c/0x3a0<br /> system_call_vectored_common+0xe8/0x278<br /> --- interrupt: 3000 at 0x7fffa5682de0<br /> NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000<br /> REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)<br /> MSR: 900000000280f033 CR: 44002408 XER: 00000000<br /> <br /> The address being probed has some special:<br /> <br /> cmdline_proc_show: Probe based on ftrace<br /> cmdline_proc_show+16: Probe for the next instruction at the ftrace location<br /> <br /> The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets<br /> set to NULL. In arch_prepare_kprobe() it will check for:<br /> <br /> ...<br /> prev = get_kprobe(p-&gt;addr - 1);<br /> preempt_enable_no_resched();<br /> if (prev &amp;&amp; ppc_inst_prefixed(ppc_inst_read(prev-&gt;ainsn.insn))) {<br /> ...<br /> <br /> If prev is based on ftrace, &amp;#39;ppc_inst_read(prev-&gt;ainsn.insn)&amp;#39; will occur<br /> with a null pointer reference. At this point prev-&gt;addr will not be a<br /> prefixed instruction, so the check can be skipped.<br /> <br /> Check if prev is ftrace-based kprobe before reading &amp;#39;prev-&gt;ainsn.insn&amp;#39;<br /> to fix this problem.<br /> <br /> [mpe: Trim oops]