CVE-2022-49529: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: fix the null pointer while the smu is disabled It needs to check if the pp_funcs is initialized while release the context, otherwise it will trigger null pointer panic while the software smu is not enabled. [ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078 [ 1109.404609] #PF: supervisor read access in kernel mode [ 1109.404638] #PF: error_code(0x0000) - not-present page [ 1109.404657] PGD 0 P4D 0 [ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1 [ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu] [ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 <49> 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f [ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282 [ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007 [ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000 [ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60 [ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001 [ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0 [ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000 [ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0 [ 1109.405434] Call Trace: [ 1109.405445] <TASK> [ 1109.405456] ? delete_object_full+0x1d/0x20 [ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu] [ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu] [ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu] [ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu] [ 1109.406327] ? _raw_spin_unlock+0x1a/0x30 [ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm] [ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu] [ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]
AI Analysis
Technical Summary
CVE-2022-49529 is a vulnerability identified in the Linux kernel specifically within the AMDGPU driver component, which manages AMD graphics hardware. The flaw arises in the power management (pm) code of the AMDGPU driver, where a null pointer dereference can occur if the software System Management Unit (SMU) is disabled. The vulnerability is triggered because the code does not verify whether the 'pp_funcs' pointer is properly initialized before releasing the context. When 'pp_funcs' is uninitialized (null), attempts to access it result in a kernel NULL pointer dereference, causing a kernel panic and system crash. The provided kernel log snippet shows the crash occurring in the function 'amdgpu_dpm_force_performance_level', which is part of the AMDGPU driver’s dynamic power management routines. This bug leads to a denial of service (DoS) condition by crashing the kernel, impacting system availability. The issue is present in Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and has been publicly disclosed without an assigned CVSS score or known exploits in the wild. The vulnerability requires that the software SMU feature be disabled, which might be the case in certain configurations or virtualized environments. Exploitation does not require user interaction but does require the ability to invoke AMDGPU driver ioctl calls, which typically implies local access or elevated privileges. The vulnerability is a classic null pointer dereference leading to a kernel panic, which is a common stability and security concern in kernel drivers handling hardware interfaces.
Potential Impact
For European organizations, the impact of CVE-2022-49529 primarily manifests as a potential denial of service through kernel crashes on systems using vulnerable Linux kernels with AMDGPU drivers. This can disrupt critical services, especially in environments relying on AMD graphics hardware for compute or display tasks, such as workstations, servers, or virtualized infrastructure. Organizations in sectors like finance, manufacturing, research, and government that utilize Linux-based systems with AMD GPUs could experience operational downtime, loss of productivity, and potential cascading failures in dependent services. Although this vulnerability does not directly lead to privilege escalation or data breaches, the induced system instability can be exploited as part of a broader attack chain to disrupt operations or force system reboots. In virtualized environments, where AMDGPU passthrough or emulation is used, this vulnerability could be triggered remotely by a malicious guest, increasing risk. Given the widespread use of Linux in European data centers and enterprises, unpatched systems could face increased risk of service interruptions, impacting business continuity and service level agreements.
Mitigation Recommendations
To mitigate CVE-2022-49529, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted Linux distributions or the kernel maintainers. 2) Audit and verify configurations to ensure that the software SMU feature is enabled where possible, as the vulnerability is triggered only when it is disabled. 3) Restrict access to AMDGPU driver ioctl interfaces to trusted users and processes, minimizing the risk of local exploitation. 4) In virtualized environments, carefully control and monitor guest access to AMDGPU devices or consider disabling GPU passthrough if not required. 5) Implement robust monitoring and alerting for kernel panics or system crashes to enable rapid detection and response. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment. 7) Maintain an inventory of systems using AMD GPUs and Linux kernels to prioritize patching and risk assessment. These steps go beyond generic advice by focusing on configuration validation, access control, and operational monitoring specific to the AMDGPU driver context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49529: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: fix the null pointer while the smu is disabled It needs to check if the pp_funcs is initialized while release the context, otherwise it will trigger null pointer panic while the software smu is not enabled. [ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078 [ 1109.404609] #PF: supervisor read access in kernel mode [ 1109.404638] #PF: error_code(0x0000) - not-present page [ 1109.404657] PGD 0 P4D 0 [ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1 [ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu] [ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 <49> 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f [ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282 [ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007 [ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000 [ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60 [ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001 [ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0 [ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000 [ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0 [ 1109.405434] Call Trace: [ 1109.405445] <TASK> [ 1109.405456] ? delete_object_full+0x1d/0x20 [ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu] [ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu] [ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu] [ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu] [ 1109.406327] ? _raw_spin_unlock+0x1a/0x30 [ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm] [ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu] [ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]
AI-Powered Analysis
Technical Analysis
CVE-2022-49529 is a vulnerability identified in the Linux kernel specifically within the AMDGPU driver component, which manages AMD graphics hardware. The flaw arises in the power management (pm) code of the AMDGPU driver, where a null pointer dereference can occur if the software System Management Unit (SMU) is disabled. The vulnerability is triggered because the code does not verify whether the 'pp_funcs' pointer is properly initialized before releasing the context. When 'pp_funcs' is uninitialized (null), attempts to access it result in a kernel NULL pointer dereference, causing a kernel panic and system crash. The provided kernel log snippet shows the crash occurring in the function 'amdgpu_dpm_force_performance_level', which is part of the AMDGPU driver’s dynamic power management routines. This bug leads to a denial of service (DoS) condition by crashing the kernel, impacting system availability. The issue is present in Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and has been publicly disclosed without an assigned CVSS score or known exploits in the wild. The vulnerability requires that the software SMU feature be disabled, which might be the case in certain configurations or virtualized environments. Exploitation does not require user interaction but does require the ability to invoke AMDGPU driver ioctl calls, which typically implies local access or elevated privileges. The vulnerability is a classic null pointer dereference leading to a kernel panic, which is a common stability and security concern in kernel drivers handling hardware interfaces.
Potential Impact
For European organizations, the impact of CVE-2022-49529 primarily manifests as a potential denial of service through kernel crashes on systems using vulnerable Linux kernels with AMDGPU drivers. This can disrupt critical services, especially in environments relying on AMD graphics hardware for compute or display tasks, such as workstations, servers, or virtualized infrastructure. Organizations in sectors like finance, manufacturing, research, and government that utilize Linux-based systems with AMD GPUs could experience operational downtime, loss of productivity, and potential cascading failures in dependent services. Although this vulnerability does not directly lead to privilege escalation or data breaches, the induced system instability can be exploited as part of a broader attack chain to disrupt operations or force system reboots. In virtualized environments, where AMDGPU passthrough or emulation is used, this vulnerability could be triggered remotely by a malicious guest, increasing risk. Given the widespread use of Linux in European data centers and enterprises, unpatched systems could face increased risk of service interruptions, impacting business continuity and service level agreements.
Mitigation Recommendations
To mitigate CVE-2022-49529, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted Linux distributions or the kernel maintainers. 2) Audit and verify configurations to ensure that the software SMU feature is enabled where possible, as the vulnerability is triggered only when it is disabled. 3) Restrict access to AMDGPU driver ioctl interfaces to trusted users and processes, minimizing the risk of local exploitation. 4) In virtualized environments, carefully control and monitor guest access to AMDGPU devices or consider disabling GPU passthrough if not required. 5) Implement robust monitoring and alerting for kernel panics or system crashes to enable rapid detection and response. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment. 7) Maintain an inventory of systems using AMD GPUs and Linux kernels to prioritize patching and risk assessment. These steps go beyond generic advice by focusing on configuration validation, access control, and operational monitoring specific to the AMDGPU driver context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.588Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe435e
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:57:04 PM
Last updated: 8/14/2025, 5:13:53 PM
Views: 21
Related Threats
CVE-2025-55581: n/a
UnknownCVE-2025-52085: n/a
UnknownCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighCVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.