Vulnerability Details CVE-2022-49889
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()
On some machines the number of listed CPUs may be bigger than the actual
CPUs that exist. The tracing subsystem allocates a per_cpu directory with
access to the per CPU ring buffer via a cpuX file. But to save space, the
ring buffer will only allocate buffers for online CPUs, even though the
CPU array will be as big as the nr_cpu_ids.
With the addition of waking waiters on the ring buffer when closing the
file, the ring_buffer_wake_waiters() now needs to make sure that the
buffer is allocated (with the irq_work allocated with it) before trying to
wake waiters, as it will cause a NULL pointer dereference.
While debugging this, I added a NULL check for the buffer itself (which is
OK to do), and also NULL pointer checks against buffer->buffers (which is
not fine, and will WARN) as well as making sure the CPU number passed in
is within the nr_cpu_ids (which is also not fine if it isn't).
Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.4%
CVSS Severity
CVSS v3 Score 5.5
References
Products affected by CVE-2022-49889
-
cpe:2.3:o:linux:linux_kernel:5.15.75
-
cpe:2.3:o:linux:linux_kernel:5.15.76
-
cpe:2.3:o:linux:linux_kernel:5.15.77
-
cpe:2.3:o:linux:linux_kernel:5.19.17
-
cpe:2.3:o:linux:linux_kernel:6.0.3
-
cpe:2.3:o:linux:linux_kernel:6.0.4
-
cpe:2.3:o:linux:linux_kernel:6.0.5
-
cpe:2.3:o:linux:linux_kernel:6.0.6
-
cpe:2.3:o:linux:linux_kernel:6.0.7