CVE-2022-49402: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ftrace: Clean up hash direct_functions on register failures We see the following GPF when register_ftrace_direct fails: [ ] general protection fault, probably for non-canonical address \ 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI [...] [ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70 [ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...] [ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206 [ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b [ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0 [ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001 [ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0 [ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000 [ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000 [ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0 [ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ ] Call Trace: [ ] <TASK> [ ] register_ftrace_direct+0x54/0x290 [ ] ? render_sigset_t+0xa0/0xa0 [ ] bpf_trampoline_update+0x3f5/0x4a0 [ ] ? 0xffffffffa00a3000 [ ] bpf_trampoline_link_prog+0xa9/0x140 [ ] bpf_tracing_prog_attach+0x1dc/0x450 [ ] bpf_raw_tracepoint_open+0x9a/0x1e0 [ ] ? find_held_lock+0x2d/0x90 [ ] ? lock_release+0x150/0x430 [ ] __sys_bpf+0xbd6/0x2700 [ ] ? lock_is_held_type+0xd8/0x130 [ ] __x64_sys_bpf+0x1c/0x20 [ ] do_syscall_64+0x3a/0x80 [ ] entry_SYSCALL_64_after_hwframe+0x44/0xae [ ] RIP: 0033:0x7fa9421defa9 [ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...] [ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9 [ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011 [ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000 [ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001 [ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001 [ ] </TASK> [ ] Modules linked in: klp_vm(OK) [ ] ---[ end trace 0000000000000000 ]--- One way to trigger this is: 1. load a livepatch that patches kernel function xxx; 2. run bpftrace -e 'kfunc:xxx {}', this will fail (expected for now); 3. repeat #2 => gpf. This is because the entry is added to direct_functions, but not removed. Fix this by remove the entry from direct_functions when register_ftrace_direct fails. Also remove the last trailing space from ftrace.c, so we don't have to worry about it anymore.
AI Analysis
Technical Summary
CVE-2022-49402 is a vulnerability in the Linux kernel's ftrace subsystem, specifically related to the handling of direct function tracing registrations. The issue arises when the function register_ftrace_direct fails during the registration of a direct function for tracing. In such failure cases, the kernel does not properly clean up the entry in the direct_functions hash table, leading to a stale or invalid entry remaining. This improper cleanup can cause a general protection fault (GPF), typically triggered by an invalid or non-canonical memory address access, resulting in a kernel crash. The vulnerability is reproducible by loading a livepatch that modifies a kernel function and then running a bpftrace command to attach a kfunc probe to the patched function. The first attempt to attach the probe fails as expected, but subsequent attempts cause the kernel to crash due to the leftover direct_functions entry. The root cause is that the entry is added to direct_functions before the failure is detected but is not removed afterward, leading to inconsistent kernel state and memory access violations. The fix involves ensuring that any failed registration attempts properly remove the corresponding entries from direct_functions, preventing stale references and subsequent faults. This vulnerability affects specific Linux kernel versions identified by the commit hash 763e34e74bb7d5c316015e2e39fcc8520bfd071c. Although no known exploits are reported in the wild, the vulnerability can lead to denial of service (DoS) through kernel crashes triggered by local users or processes capable of loading livepatches and executing bpftrace commands. The vulnerability does not require remote access or user interaction beyond local execution privileges, making it a concern primarily for systems that allow untrusted local code execution or livepatch loading. The vulnerability impacts kernel stability and availability but does not directly expose confidentiality or integrity breaches.
Potential Impact
For European organizations, the primary impact of CVE-2022-49402 is the potential for denial of service due to kernel crashes. Systems running affected Linux kernel versions that support livepatching and bpftrace are at risk of unexpected reboots or service interruptions if exploited. This can disrupt critical infrastructure, cloud services, and enterprise environments relying on Linux servers for operations. Organizations using livepatching for kernel updates or employing bpftrace for performance monitoring and debugging are particularly vulnerable. The disruption could affect data centers, cloud providers, telecommunications, financial institutions, and public sector services across Europe. While the vulnerability does not directly allow privilege escalation or data leakage, the resulting instability can lead to operational downtime, impacting business continuity and service availability. In environments with strict uptime requirements or real-time processing, such as healthcare, manufacturing, or transportation sectors, the consequences could be severe. Additionally, the need to patch or update kernels to remediate the vulnerability may require planned maintenance windows, potentially affecting service delivery. Since no known exploits are in the wild, the immediate risk is moderate, but the vulnerability should be addressed promptly to prevent potential future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes CVE-2022-49402 as soon as it becomes available from trusted sources or Linux distribution vendors. 2. Avoid running untrusted livepatches or bpftrace scripts, especially in production environments, to reduce the risk of triggering the vulnerability. 3. Restrict permissions for loading livepatches and executing bpftrace commands to trusted administrators only, minimizing the attack surface. 4. Monitor kernel logs for signs of general protection faults or crashes related to ftrace or bpftrace activities to detect potential exploitation attempts. 5. Implement kernel crash recovery and alerting mechanisms to quickly respond to any unexpected reboots or faults. 6. For environments requiring livepatching, validate patches thoroughly in test environments before deployment to production. 7. Consider disabling livepatching or bpftrace features temporarily if immediate patching is not feasible and the risk is unacceptable. 8. Maintain up-to-date backups and disaster recovery plans to mitigate the impact of potential downtime caused by kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49402: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ftrace: Clean up hash direct_functions on register failures We see the following GPF when register_ftrace_direct fails: [ ] general protection fault, probably for non-canonical address \ 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI [...] [ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70 [ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...] [ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206 [ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b [ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0 [ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001 [ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0 [ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000 [ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000 [ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0 [ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ ] Call Trace: [ ] <TASK> [ ] register_ftrace_direct+0x54/0x290 [ ] ? render_sigset_t+0xa0/0xa0 [ ] bpf_trampoline_update+0x3f5/0x4a0 [ ] ? 0xffffffffa00a3000 [ ] bpf_trampoline_link_prog+0xa9/0x140 [ ] bpf_tracing_prog_attach+0x1dc/0x450 [ ] bpf_raw_tracepoint_open+0x9a/0x1e0 [ ] ? find_held_lock+0x2d/0x90 [ ] ? lock_release+0x150/0x430 [ ] __sys_bpf+0xbd6/0x2700 [ ] ? lock_is_held_type+0xd8/0x130 [ ] __x64_sys_bpf+0x1c/0x20 [ ] do_syscall_64+0x3a/0x80 [ ] entry_SYSCALL_64_after_hwframe+0x44/0xae [ ] RIP: 0033:0x7fa9421defa9 [ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...] [ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9 [ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011 [ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000 [ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001 [ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001 [ ] </TASK> [ ] Modules linked in: klp_vm(OK) [ ] ---[ end trace 0000000000000000 ]--- One way to trigger this is: 1. load a livepatch that patches kernel function xxx; 2. run bpftrace -e 'kfunc:xxx {}', this will fail (expected for now); 3. repeat #2 => gpf. This is because the entry is added to direct_functions, but not removed. Fix this by remove the entry from direct_functions when register_ftrace_direct fails. Also remove the last trailing space from ftrace.c, so we don't have to worry about it anymore.
AI-Powered Analysis
Technical Analysis
CVE-2022-49402 is a vulnerability in the Linux kernel's ftrace subsystem, specifically related to the handling of direct function tracing registrations. The issue arises when the function register_ftrace_direct fails during the registration of a direct function for tracing. In such failure cases, the kernel does not properly clean up the entry in the direct_functions hash table, leading to a stale or invalid entry remaining. This improper cleanup can cause a general protection fault (GPF), typically triggered by an invalid or non-canonical memory address access, resulting in a kernel crash. The vulnerability is reproducible by loading a livepatch that modifies a kernel function and then running a bpftrace command to attach a kfunc probe to the patched function. The first attempt to attach the probe fails as expected, but subsequent attempts cause the kernel to crash due to the leftover direct_functions entry. The root cause is that the entry is added to direct_functions before the failure is detected but is not removed afterward, leading to inconsistent kernel state and memory access violations. The fix involves ensuring that any failed registration attempts properly remove the corresponding entries from direct_functions, preventing stale references and subsequent faults. This vulnerability affects specific Linux kernel versions identified by the commit hash 763e34e74bb7d5c316015e2e39fcc8520bfd071c. Although no known exploits are reported in the wild, the vulnerability can lead to denial of service (DoS) through kernel crashes triggered by local users or processes capable of loading livepatches and executing bpftrace commands. The vulnerability does not require remote access or user interaction beyond local execution privileges, making it a concern primarily for systems that allow untrusted local code execution or livepatch loading. The vulnerability impacts kernel stability and availability but does not directly expose confidentiality or integrity breaches.
Potential Impact
For European organizations, the primary impact of CVE-2022-49402 is the potential for denial of service due to kernel crashes. Systems running affected Linux kernel versions that support livepatching and bpftrace are at risk of unexpected reboots or service interruptions if exploited. This can disrupt critical infrastructure, cloud services, and enterprise environments relying on Linux servers for operations. Organizations using livepatching for kernel updates or employing bpftrace for performance monitoring and debugging are particularly vulnerable. The disruption could affect data centers, cloud providers, telecommunications, financial institutions, and public sector services across Europe. While the vulnerability does not directly allow privilege escalation or data leakage, the resulting instability can lead to operational downtime, impacting business continuity and service availability. In environments with strict uptime requirements or real-time processing, such as healthcare, manufacturing, or transportation sectors, the consequences could be severe. Additionally, the need to patch or update kernels to remediate the vulnerability may require planned maintenance windows, potentially affecting service delivery. Since no known exploits are in the wild, the immediate risk is moderate, but the vulnerability should be addressed promptly to prevent potential future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes CVE-2022-49402 as soon as it becomes available from trusted sources or Linux distribution vendors. 2. Avoid running untrusted livepatches or bpftrace scripts, especially in production environments, to reduce the risk of triggering the vulnerability. 3. Restrict permissions for loading livepatches and executing bpftrace commands to trusted administrators only, minimizing the attack surface. 4. Monitor kernel logs for signs of general protection faults or crashes related to ftrace or bpftrace activities to detect potential exploitation attempts. 5. Implement kernel crash recovery and alerting mechanisms to quickly respond to any unexpected reboots or faults. 6. For environments requiring livepatching, validate patches thoroughly in test environments before deployment to production. 7. Consider disabling livepatching or bpftrace features temporarily if immediate patching is not feasible and the risk is unacceptable. 8. Maintain up-to-date backups and disaster recovery plans to mitigate the impact of potential downtime caused by kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.565Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe58f2
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 6:55:11 AM
Last updated: 8/10/2025, 8:34:26 AM
Views: 11
Related Threats
CVE-2025-55195: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in denoland std
HighCVE-2025-55192: CWE-94: Improper Control of Generation of Code ('Code Injection') in JurajNyiri HomeAssistant-Tapo-Control
HighCVE-2025-20220: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Cisco Cisco Firepower Management Center
MediumCVE-2025-9043: CWE-428 Unquoted Search Path or Element in Seagate Toolkit
MediumCVE-2025-8969: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.