CVE-2022-49721: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: ftrace: consistently handle PLTs. Sometimes it is necessary to use a PLT entry to call an ftrace trampoline. This is handled by ftrace_make_call() and ftrace_make_nop(), with each having *almost* identical logic, but this is not handled by ftrace_modify_call() since its introduction in commit: 3b23e4991fb66f6d ("arm64: implement ftrace with regs") Due to this, if we ever were to call ftrace_modify_call() for a callsite which requires a PLT entry for a trampoline, then either: a) If the old addr requires a trampoline, ftrace_modify_call() will use an out-of-range address to generate the 'old' branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm() and ftrace_modify_code(), and no instructions will be modified. As ftrace_modify_call() will return an error, this will result in subsequent internal ftrace errors. b) If the old addr does not require a trampoline, but the new addr does, ftrace_modify_call() will use an out-of-range address to generate the 'new' branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace the 'old' branch with a BRK. This will result in a kernel panic when this BRK is later executed. Practically speaking, case (a) is vastly more likely than case (b), and typically this will result in internal ftrace errors that don't necessarily affect the rest of the system. This can be demonstrated with an out-of-tree test module which triggers ftrace_modify_call(), e.g. | # insmod test_ftrace.ko | test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024 | branch_imm_common: offset out of range | branch_imm_common: offset out of range | ------------[ ftrace bug ]------------ | ftrace failed to modify | [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace] | actual: 1d:00:00:94 | Updating ftrace call site to call a different ftrace function | ftrace record flags: e0000002 | (2) R | expected tramp: ffffb374ae42ed54 | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0 | Modules linked in: test_ftrace(+) | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13 | Hardware name: linux,dummy-virt (DT) | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : ftrace_bug+0x280/0x2b0 | lr : ftrace_bug+0x280/0x2b0 | sp : ffff80000839ba00 | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0 | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000 | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8 | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4 | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8 | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167 | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022 | Call trace: | ftrace_bug+0x280/0x2b0 | ftrace_replace_code+0x98/0xa0 | ftrace_modify_all_code+0xe0/0x144 | arch_ftrace_update_code+0x14/0x20 | ftrace_startup+0xf8/0x1b0 | register_ftrace_function+0x38/0x90 | test_ftrace_init+0xd0/0x1000 [test_ftrace] | do_one_initcall+0x50/0x2b0 | do_init_module+0x50/0x1f0 | load_module+0x17c8/0x1d64 | __do_sys_finit_module+0xa8/0x100 | __arm64_sys_finit_module+0x2c/0x3c | invoke_syscall+0x50/0x120 | el0_svc_common.constprop.0+0xdc/0x100 | do_el0_svc+0x3c/0xd0 | el0_svc+0x34/0xb0 | el0t_64_sync_handler+0xbc/0x140 | el0t_64_sync+0x18c/0x190 | ---[ end trace 0000000000000000 ]--- We can solve this by consistently determining whether to use a PLT entry for an address. Note that since (the earlier) commit: f1a54ae9 ---truncated---
AI Analysis
Technical Summary
CVE-2022-49721 is a vulnerability in the Linux kernel specifically affecting the arm64 architecture's ftrace subsystem, which is used for function tracing and debugging. The issue arises from inconsistent handling of Procedure Linkage Table (PLT) entries when modifying function call sites via ftrace. The vulnerability is rooted in the ftrace_modify_call() function, which unlike ftrace_make_call() and ftrace_make_nop(), does not correctly handle cases where a PLT entry is required for a trampoline call. This leads to two problematic scenarios: (a) when the old address requires a trampoline, ftrace_modify_call() attempts to generate a branch instruction with an out-of-range address, causing warnings and internal ftrace errors without modifying instructions, and (b) when the new address requires a trampoline but the old does not, the function generates an out-of-range branch instruction replaced by a BRK (breakpoint) instruction, which triggers a kernel panic upon execution. The more common scenario is (a), which results in internal ftrace errors that may not immediately affect system stability, but scenario (b) can cause a kernel panic, leading to a denial of service. The vulnerability can be triggered by loading a specially crafted kernel module that invokes ftrace_modify_call() improperly, as demonstrated by a test module example. The root cause is a logic inconsistency introduced in commit 3b23e4991fb66f6d, where ftrace_modify_call() was introduced without proper PLT handling. The fix involves consistently determining when to use a PLT entry for an address to avoid out-of-range branch instructions and subsequent kernel panics. This vulnerability affects Linux kernel versions containing the faulty commit and impacts systems running on arm64 architecture that utilize ftrace for tracing and debugging.
Potential Impact
For European organizations, the impact of CVE-2022-49721 depends largely on their deployment of Linux systems running on arm64 architecture, which is increasingly common in servers, embedded devices, and IoT infrastructure. The vulnerability can cause kernel panics leading to denial of service, potentially disrupting critical services and operations. Systems relying on ftrace for performance monitoring, debugging, or security auditing could experience instability or crashes if exploited. Although exploitation requires loading a kernel module, which typically demands root privileges, the vulnerability could be leveraged by attackers who have already gained elevated access to cause system outages or interfere with kernel tracing mechanisms. This could affect cloud service providers, telecom infrastructure, industrial control systems, and other sectors using arm64 Linux servers or devices. The denial of service could lead to downtime, loss of availability, and operational disruption. Additionally, internal ftrace errors might complicate debugging and monitoring efforts, impacting incident response and system maintenance. Since no known exploits are reported in the wild, the immediate risk is moderate but should be addressed proactively to prevent potential exploitation in targeted attacks or insider threat scenarios.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49721 as soon as they become available from trusted sources or Linux distributions. 2. Restrict the ability to load kernel modules to trusted administrators only, enforcing strict access controls and auditing module loading activities. 3. Employ kernel lockdown features where possible to prevent unauthorized kernel modifications. 4. Monitor system logs for ftrace-related warnings or errors that could indicate attempts to trigger the vulnerability. 5. For environments using custom or out-of-tree kernel modules, review and test these modules for compatibility with the patched kernel and ensure they do not invoke ftrace_modify_call() in a way that could trigger the bug. 6. Consider disabling ftrace functionality on arm64 systems if not required, to reduce the attack surface. 7. Maintain robust incident response plans to quickly address kernel panics or system crashes potentially related to this vulnerability. 8. Use security tools that can detect anomalous kernel module loading or unusual kernel behavior indicative of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2022-49721: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: ftrace: consistently handle PLTs. Sometimes it is necessary to use a PLT entry to call an ftrace trampoline. This is handled by ftrace_make_call() and ftrace_make_nop(), with each having *almost* identical logic, but this is not handled by ftrace_modify_call() since its introduction in commit: 3b23e4991fb66f6d ("arm64: implement ftrace with regs") Due to this, if we ever were to call ftrace_modify_call() for a callsite which requires a PLT entry for a trampoline, then either: a) If the old addr requires a trampoline, ftrace_modify_call() will use an out-of-range address to generate the 'old' branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm() and ftrace_modify_code(), and no instructions will be modified. As ftrace_modify_call() will return an error, this will result in subsequent internal ftrace errors. b) If the old addr does not require a trampoline, but the new addr does, ftrace_modify_call() will use an out-of-range address to generate the 'new' branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace the 'old' branch with a BRK. This will result in a kernel panic when this BRK is later executed. Practically speaking, case (a) is vastly more likely than case (b), and typically this will result in internal ftrace errors that don't necessarily affect the rest of the system. This can be demonstrated with an out-of-tree test module which triggers ftrace_modify_call(), e.g. | # insmod test_ftrace.ko | test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024 | branch_imm_common: offset out of range | branch_imm_common: offset out of range | ------------[ ftrace bug ]------------ | ftrace failed to modify | [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace] | actual: 1d:00:00:94 | Updating ftrace call site to call a different ftrace function | ftrace record flags: e0000002 | (2) R | expected tramp: ffffb374ae42ed54 | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0 | Modules linked in: test_ftrace(+) | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13 | Hardware name: linux,dummy-virt (DT) | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : ftrace_bug+0x280/0x2b0 | lr : ftrace_bug+0x280/0x2b0 | sp : ffff80000839ba00 | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0 | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000 | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8 | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4 | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8 | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167 | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022 | Call trace: | ftrace_bug+0x280/0x2b0 | ftrace_replace_code+0x98/0xa0 | ftrace_modify_all_code+0xe0/0x144 | arch_ftrace_update_code+0x14/0x20 | ftrace_startup+0xf8/0x1b0 | register_ftrace_function+0x38/0x90 | test_ftrace_init+0xd0/0x1000 [test_ftrace] | do_one_initcall+0x50/0x2b0 | do_init_module+0x50/0x1f0 | load_module+0x17c8/0x1d64 | __do_sys_finit_module+0xa8/0x100 | __arm64_sys_finit_module+0x2c/0x3c | invoke_syscall+0x50/0x120 | el0_svc_common.constprop.0+0xdc/0x100 | do_el0_svc+0x3c/0xd0 | el0_svc+0x34/0xb0 | el0t_64_sync_handler+0xbc/0x140 | el0t_64_sync+0x18c/0x190 | ---[ end trace 0000000000000000 ]--- We can solve this by consistently determining whether to use a PLT entry for an address. Note that since (the earlier) commit: f1a54ae9 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49721 is a vulnerability in the Linux kernel specifically affecting the arm64 architecture's ftrace subsystem, which is used for function tracing and debugging. The issue arises from inconsistent handling of Procedure Linkage Table (PLT) entries when modifying function call sites via ftrace. The vulnerability is rooted in the ftrace_modify_call() function, which unlike ftrace_make_call() and ftrace_make_nop(), does not correctly handle cases where a PLT entry is required for a trampoline call. This leads to two problematic scenarios: (a) when the old address requires a trampoline, ftrace_modify_call() attempts to generate a branch instruction with an out-of-range address, causing warnings and internal ftrace errors without modifying instructions, and (b) when the new address requires a trampoline but the old does not, the function generates an out-of-range branch instruction replaced by a BRK (breakpoint) instruction, which triggers a kernel panic upon execution. The more common scenario is (a), which results in internal ftrace errors that may not immediately affect system stability, but scenario (b) can cause a kernel panic, leading to a denial of service. The vulnerability can be triggered by loading a specially crafted kernel module that invokes ftrace_modify_call() improperly, as demonstrated by a test module example. The root cause is a logic inconsistency introduced in commit 3b23e4991fb66f6d, where ftrace_modify_call() was introduced without proper PLT handling. The fix involves consistently determining when to use a PLT entry for an address to avoid out-of-range branch instructions and subsequent kernel panics. This vulnerability affects Linux kernel versions containing the faulty commit and impacts systems running on arm64 architecture that utilize ftrace for tracing and debugging.
Potential Impact
For European organizations, the impact of CVE-2022-49721 depends largely on their deployment of Linux systems running on arm64 architecture, which is increasingly common in servers, embedded devices, and IoT infrastructure. The vulnerability can cause kernel panics leading to denial of service, potentially disrupting critical services and operations. Systems relying on ftrace for performance monitoring, debugging, or security auditing could experience instability or crashes if exploited. Although exploitation requires loading a kernel module, which typically demands root privileges, the vulnerability could be leveraged by attackers who have already gained elevated access to cause system outages or interfere with kernel tracing mechanisms. This could affect cloud service providers, telecom infrastructure, industrial control systems, and other sectors using arm64 Linux servers or devices. The denial of service could lead to downtime, loss of availability, and operational disruption. Additionally, internal ftrace errors might complicate debugging and monitoring efforts, impacting incident response and system maintenance. Since no known exploits are reported in the wild, the immediate risk is moderate but should be addressed proactively to prevent potential exploitation in targeted attacks or insider threat scenarios.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49721 as soon as they become available from trusted sources or Linux distributions. 2. Restrict the ability to load kernel modules to trusted administrators only, enforcing strict access controls and auditing module loading activities. 3. Employ kernel lockdown features where possible to prevent unauthorized kernel modifications. 4. Monitor system logs for ftrace-related warnings or errors that could indicate attempts to trigger the vulnerability. 5. For environments using custom or out-of-tree kernel modules, review and test these modules for compatibility with the patched kernel and ensure they do not invoke ftrace_modify_call() in a way that could trigger the bug. 6. Consider disabling ftrace functionality on arm64 systems if not required, to reduce the attack surface. 7. Maintain robust incident response plans to quickly address kernel panics or system crashes potentially related to this vulnerability. 8. Use security tools that can detect anomalous kernel module loading or unusual kernel behavior indicative of exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.446Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4955
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:41:10 AM
Last updated: 8/14/2025, 6:41:57 PM
Views: 12
Related Threats
CVE-2025-9074: CWE-668 Exposure of Resource to Wrong Sphere in Docker Docker Desktop
CriticalCVE-2025-55503: n/a
UnknownCVE-2025-54924: CWE-918 Server-Side Request Forgery (SSRF) in Schneider Electric EcoStruxure™ Power Monitoring Expert (PME)
HighCVE-2025-54923: CWE-502 Deserialization of Untrusted Data in Schneider Electric EcoStruxure™ Power Monitoring Expert (PME)
HighCVE-2025-50503: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.