CVE-2022-48922: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601][ T0] ra : restore_all+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.
AI Analysis
Technical Summary
CVE-2022-48922 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture implementation. The issue arises from improper handling of the frame pointer ($fp or $s0 register) in low-level kernel code related to irqsoff latency tracing. The functions trace_hardirqs_on() and trace_hardirqs_off() rely on the macro CALLER_ADDR1, which uses __builtin_return_address(1) to obtain caller information. This macro assumes that the frame pointer is correctly set up. However, in certain assembly entry code paths, the $fp register is repurposed and not used as a frame pointer, leading to invalid memory accesses and kernel oops (crashes) during boot when irqoff tracer is enabled. The oops manifests as a NULL pointer dereference at a low virtual address, causing a paging fault. The root cause is that the assembly code does not preserve the frame pointer convention expected by the tracing macros, resulting in attempts to dereference invalid pointers. The fix involves adding an additional wrapper layer around trace_hardirqs_on/off() functions to ensure they are safely callable from low-level entry code without causing faults. This vulnerability is specific to Linux kernel builds with irqoff latency tracing enabled on RISC-V platforms. It does not affect other architectures or configurations without this tracing enabled. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on August 22, 2024, and affects certain Linux kernel versions identified by specific commit hashes.
Potential Impact
For European organizations utilizing Linux systems on RISC-V hardware with irqoff latency tracing enabled, this vulnerability could cause system instability or boot failures due to kernel oops. This may lead to denial of service conditions, impacting availability of critical systems. While the vulnerability does not appear to allow privilege escalation or code execution directly, the resulting kernel crashes could disrupt operations, especially in embedded or industrial environments where RISC-V Linux is deployed. Since the issue occurs during boot or low-level kernel operations, affected systems may fail to start or recover without manual intervention, increasing operational risk. The impact is limited to systems compiled with irqoff tracer enabled, which is not common in typical enterprise Linux distributions but may be present in specialized or development builds. European organizations relying on RISC-V Linux for IoT, edge computing, or research platforms should be aware of potential service interruptions. The lack of known exploits reduces immediate threat, but unpatched systems remain vulnerable to accidental crashes or targeted disruption by attackers with kernel-level access.
Mitigation Recommendations
Organizations should verify if their Linux kernel builds on RISC-V platforms have irqoff latency tracing enabled. If so, they should promptly apply the patch that introduces the wrapper functions around trace_hardirqs_on/off() to prevent invalid memory accesses. Kernel upgrades to versions including this fix are recommended. For environments where irqoff tracing is not required, disabling this feature can mitigate the risk. Additionally, thorough testing of kernel updates in staging environments is advised to ensure stability. Monitoring kernel logs for oops messages related to trace_hardirqs_on/off can help detect attempts to trigger this fault. For embedded or specialized RISC-V Linux deployments, vendors should provide updated kernel images incorporating the fix. Implementing robust boot recovery mechanisms can reduce downtime caused by kernel crashes. Finally, limiting kernel debugging or tracing features in production systems unless necessary reduces attack surface and exposure to such vulnerabilities.
Affected Countries
Germany, France, Netherlands, United Kingdom, Sweden, Finland
CVE-2022-48922: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [ 0.041925][ T0] Oops [#1] [ 0.042063][ T0] Modules linked in: [ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601][ T0] ra : restore_all+0x12/0x6e [ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.
AI-Powered Analysis
Technical Analysis
CVE-2022-48922 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture implementation. The issue arises from improper handling of the frame pointer ($fp or $s0 register) in low-level kernel code related to irqsoff latency tracing. The functions trace_hardirqs_on() and trace_hardirqs_off() rely on the macro CALLER_ADDR1, which uses __builtin_return_address(1) to obtain caller information. This macro assumes that the frame pointer is correctly set up. However, in certain assembly entry code paths, the $fp register is repurposed and not used as a frame pointer, leading to invalid memory accesses and kernel oops (crashes) during boot when irqoff tracer is enabled. The oops manifests as a NULL pointer dereference at a low virtual address, causing a paging fault. The root cause is that the assembly code does not preserve the frame pointer convention expected by the tracing macros, resulting in attempts to dereference invalid pointers. The fix involves adding an additional wrapper layer around trace_hardirqs_on/off() functions to ensure they are safely callable from low-level entry code without causing faults. This vulnerability is specific to Linux kernel builds with irqoff latency tracing enabled on RISC-V platforms. It does not affect other architectures or configurations without this tracing enabled. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on August 22, 2024, and affects certain Linux kernel versions identified by specific commit hashes.
Potential Impact
For European organizations utilizing Linux systems on RISC-V hardware with irqoff latency tracing enabled, this vulnerability could cause system instability or boot failures due to kernel oops. This may lead to denial of service conditions, impacting availability of critical systems. While the vulnerability does not appear to allow privilege escalation or code execution directly, the resulting kernel crashes could disrupt operations, especially in embedded or industrial environments where RISC-V Linux is deployed. Since the issue occurs during boot or low-level kernel operations, affected systems may fail to start or recover without manual intervention, increasing operational risk. The impact is limited to systems compiled with irqoff tracer enabled, which is not common in typical enterprise Linux distributions but may be present in specialized or development builds. European organizations relying on RISC-V Linux for IoT, edge computing, or research platforms should be aware of potential service interruptions. The lack of known exploits reduces immediate threat, but unpatched systems remain vulnerable to accidental crashes or targeted disruption by attackers with kernel-level access.
Mitigation Recommendations
Organizations should verify if their Linux kernel builds on RISC-V platforms have irqoff latency tracing enabled. If so, they should promptly apply the patch that introduces the wrapper functions around trace_hardirqs_on/off() to prevent invalid memory accesses. Kernel upgrades to versions including this fix are recommended. For environments where irqoff tracing is not required, disabling this feature can mitigate the risk. Additionally, thorough testing of kernel updates in staging environments is advised to ensure stability. Monitoring kernel logs for oops messages related to trace_hardirqs_on/off can help detect attempts to trigger this fault. For embedded or specialized RISC-V Linux deployments, vendors should provide updated kernel images incorporating the fix. Implementing robust boot recovery mechanisms can reduce downtime caused by kernel crashes. Finally, limiting kernel debugging or tracing features in production systems unless necessary reduces attack surface and exposure to such vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.295Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65ee
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:42:42 PM
Last updated: 7/26/2025, 12:25:54 AM
Views: 8
Related Threats
CVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalCVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.