CVE-2022-49977

MEDIUM EPSS 10.4%
Published Jun 18, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jun 18, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function is not executed, // as a result, ops is still in the ftrace_ops_list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Therefore, when ftrace_startup_enable fails, we need to rollback registration process and remove ops from ftrace_ops_list.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
10.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel* <4.9.327
linuxlinux_kernel*≥4.10  –  <4.14.292
linuxlinux_kernel*≥4.15  –  <4.19.257
linuxlinux_kernel*≥4.20  –  <5.4.212
linuxlinux_kernel*≥5.5  –  <5.10.141
linuxlinux_kernel*≥5.11  –  <5.15.65
linuxlinux_kernel*≥5.16  –  <5.19.7
linuxlinux_kernel6.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/4c34a2a6c9927c239dd2e295a03d49b37b618d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8569b4ada1e0b9bfaa125bd0c0967918b6560fa2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/934e49f7d696afdae9f979abe3f308408184e17b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c3b0f72e805f0801f05fa2aa52011c4bfc694c44
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddffe882d74ef43a3494f0ab0c24baf076c45f96
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e4ae97295984ff1b9b340ed18ae1b066f36b7835
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4c34a2a6c9927c239dd2e295a03d49b37b618d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8569b4ada1e0b9bfaa125bd0c0967918b6560fa2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/934e49f7d696afdae9f979abe3f308408184e17b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c3b0f72e805f0801f05fa2aa52011c4bfc694c44
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddffe882d74ef43a3494f0ab0c24baf076c45f96
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e4ae97295984ff1b9b340ed18ae1b066f36b7835
    Patch