CVE-2022-50008
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
14/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
kprobes: don&#39;t call disarm_kprobe() for disabled kprobes<br />
<br />
The assumption in __disable_kprobe() is wrong, and it could try to disarm<br />
an already disarmed kprobe and fire the WARN_ONCE() below. [0] We can<br />
easily reproduce this issue.<br />
<br />
1. Write 0 to /sys/kernel/debug/kprobes/enabled.<br />
<br />
# echo 0 > /sys/kernel/debug/kprobes/enabled<br />
<br />
2. Run execsnoop. At this time, one kprobe is disabled.<br />
<br />
# /usr/share/bcc/tools/execsnoop &<br />
[1] 2460<br />
PCOMM PID PPID RET ARGS<br />
<br />
# cat /sys/kernel/debug/kprobes/list<br />
ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE]<br />
ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE]<br />
<br />
3. Write 1 to /sys/kernel/debug/kprobes/enabled, which changes<br />
kprobes_all_disarmed to false but does not arm the disabled kprobe.<br />
<br />
# echo 1 > /sys/kernel/debug/kprobes/enabled<br />
<br />
# cat /sys/kernel/debug/kprobes/list<br />
ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE]<br />
ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE]<br />
<br />
4. Kill execsnoop, when __disable_kprobe() calls disarm_kprobe() for the<br />
disabled kprobe and hits the WARN_ONCE() in __disarm_kprobe_ftrace().<br />
<br />
# fg<br />
/usr/share/bcc/tools/execsnoop<br />
^C<br />
<br />
Actually, WARN_ONCE() is fired twice, and __unregister_kprobe_top() misses<br />
some cleanups and leaves the aggregated kprobe in the hash table. Then,<br />
__unregister_trace_kprobe() initialises tk->rp.kp.list and creates an<br />
infinite loop like this.<br />
<br />
aggregated kprobe.list -> kprobe.list -.<br />
^ |<br />
&#39;.__.&#39;<br />
<br />
In this situation, these commands fall into the infinite loop and result<br />
in RCU stall or soft lockup.<br />
<br />
cat /sys/kernel/debug/kprobes/list : show_kprobe_addr() enters into the<br />
infinite loop with RCU.<br />
<br />
/usr/share/bcc/tools/execsnoop : warn_kprobe_rereg() holds kprobe_mutex,<br />
and __get_valid_kprobe() is stuck in<br />
the loop.<br />
<br />
To avoid the issue, make sure we don&#39;t call disarm_kprobe() for disabled<br />
kprobes.<br />
<br />
[0]<br />
Failed to disarm kprobe-ftrace at __x64_sys_execve+0x0/0x40 (error -2)<br />
WARNING: CPU: 6 PID: 2460 at kernel/kprobes.c:1130 __disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)<br />
Modules linked in: ena<br />
CPU: 6 PID: 2460 Comm: execsnoop Not tainted 5.19.0+ #28<br />
Hardware name: Amazon EC2 c5.2xlarge/, BIOS 1.0 10/16/2017<br />
RIP: 0010:__disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)<br />
Code: 24 8b 02 eb c1 80 3d c4 83 f2 01 00 75 d4 48 8b 75 00 89 c2 48 c7 c7 90 fa 0f 92 89 04 24 c6 05 ab 83 01 e8 e4 94 f0 ff 0b 8b 04 24 eb b1 89 c6 48 c7 c7 60 fa 0f 92 89 04 24 e8 cc 94<br />
RSP: 0018:ffff9e6ec154bd98 EFLAGS: 00010282<br />
RAX: 0000000000000000 RBX: ffffffff930f7b00 RCX: 0000000000000001<br />
RDX: 0000000080000001 RSI: ffffffff921461c5 RDI: 00000000ffffffff<br />
RBP: ffff89c504286da8 R08: 0000000000000000 R09: c0000000fffeffff<br />
R10: 0000000000000000 R11: ffff9e6ec154bc28 R12: ffff89c502394e40<br />
R13: ffff89c502394c00 R14: ffff9e6ec154bc00 R15: 0000000000000000<br />
FS: 00007fe800398740(0000) GS:ffff89c812d80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 000000c00057f010 CR3: 0000000103b54006 CR4: 00000000007706e0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
__disable_kprobe (kernel/kprobes.c:1716)<br />
disable_kprobe (kernel/kprobes.c:2392)<br />
__disable_trace_kprobe (kernel/trace/trace_kprobe.c:340)<br />
disable_trace_kprobe (kernel/trace/trace_kprobe.c:429)<br />
perf_trace_event_unreg.isra.2 (./include/linux/tracepoint.h:93 kernel/trace/trace_event_perf.c:168)<br />
perf_kprobe_destroy (kernel/trace/trace_event_perf.c:295)<br />
_free_event (kernel/events/core.c:4971)<br />
perf_event_release_kernel (kernel/events/core.c:5176)<br />
perf_release (kernel/events/core.c:5186)<br />
__fput (fs/file_table.c:321)<br />
task_work_run (./include/linux/<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.0 (including) | 4.9.327 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.292 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.257 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.212 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.141 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.65 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.19.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/19cd630712e7c13a3dedfc6986a9b983fed6fd98
- https://git.kernel.org/stable/c/55c7a91527343d2e0b5647cc308c6e04ddd2aa52
- https://git.kernel.org/stable/c/6f3c1bc22fc2165461883f506b4d2c3594bd7137
- https://git.kernel.org/stable/c/744b0d3080709a172f0408aedabd1cedd24c2ee6
- https://git.kernel.org/stable/c/9c80e79906b4ca440d09e7f116609262bb747909
- https://git.kernel.org/stable/c/b474ff1b20951f1eac75d100a93861e6da2b522b
- https://git.kernel.org/stable/c/bc3188d8a3b8c08c306a4c851ddb2c92ba4599ca
- https://git.kernel.org/stable/c/fc91d2db55acdaf0c0075b624e572d3520ca3bc3