CVE-2022-49888

01.05.2025, 15:16

In the Linux kernel, the following vulnerability has been resolved:

arm64: entry: avoid kprobe recursion

The cortex_a76_erratum_1463225_debug_handler() function is called when
handling debug exceptions (and synchronous exceptions from BRK
instructions), and so is called when a probed function executes. If the
compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it
can be probed.

If cortex_a76_erratum_1463225_debug_handler() is probed, any debug
exception or software breakpoint exception will result in recursive
exceptions leading to a stack overflow. This can be triggered with the
ftrace multiple_probes selftest, and as per the example splat below.

This is a regression caused by commit:

  6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround")

... which removed the NOKPROBE_SYMBOL() annotation associated with the
function.

My intent was that cortex_a76_erratum_1463225_debug_handler() would be
inlined into its caller, el1_dbg(), which is marked noinstr and cannot
be probed. Mark cortex_a76_erratum_1463225_debug_handler() as
__always_inline to ensure this.

Example splat prior to this patch (with recursive entries elided):

| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events
| # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events
| # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
| Insufficient stack space to handle exception!
| ESR: 0x0000000096000047 -- DABT (current EL)
| FAR: 0xffff800009cefff0
| Task stack:     [0xffff800009cf0000..0xffff800009cf4000]
| IRQ stack:      [0xffff800008000000..0xffff800008004000]
| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]
| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2
| Hardware name: linux,dummy-virt (DT)
| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : arm64_enter_el1_dbg+0x4/0x20
| lr : el1_dbg+0x24/0x5c
| sp : ffff800009cf0000
| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000
| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068
| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000
| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0
| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000
| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4
| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040
| Kernel panic - not syncing: kernel stack overflow
| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2
| Hardware name: linux,dummy-virt (DT)
| Call trace:
|  dump_backtrace+0xe4/0x104
|  show_stack+0x18/0x4c
|  dump_stack_lvl+0x64/0x7c
|  dump_stack+0x18/0x38
|  panic+0x14c/0x338
|  test_taint+0x0/0x2c
|  panic_bad_stack+0x104/0x118
|  handle_bad_stack+0x34/0x48
|  __bad_stack+0x78/0x7c
|  arm64_enter_el1_dbg+0x4/0x20
|  el1h_64_sync_handler+0x40/0x98
|  el1h_64_sync+0x64/0x68
|  cortex_a76_erratum_1463225_debug_handler+0x0/0x34
...
|  el1h_64_sync_handler+0x40/0x98
|  el1h_64_sync+0x64/0x68
|  cortex_a76_erratum_1463225_debug_handler+0x0/0x34
...
|  el1h_64_sync_handler+0x40/0x98
|  el1h_64_sync+0x64/0x68
|  cortex_a76_erratum_1463225_debug_handler+0x0/0x34
|  el1h_64_sync_handler+0x40/0x98
|  el1h_64_sync+0x64/0x68
|  do_el0_svc+0x0/0x28
|  el0t_64_sync_handler+0x84/0xf0
|  el0t_64_sync+0x18c/0x190
| Kernel Offset: disabled
| CPU features: 0x0080,00005021,19001080
| Memory Limit: none
| ---[ end Kernel panic - not syncing: kernel stack overflow ]---

With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined
into el1_dbg(), and el1_dbg() cannot be probed:

| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events
| sh: write error: No such file or directory
| # grep -w cortex_a76_errat
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Vendor	Product	Version
linux	linux_kernel	5.12 ≤ 𝑥 < 5.15.78
linux	linux_kernel	5.16 ≤ 𝑥 < 6.0.8
linux	linux_kernel	6.1:rc1
linux	linux_kernel	6.1:rc2
linux	linux_kernel	6.1:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.135-1 fixed
trixie	6.12.22-1 fixed
sid	6.12.25-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-aws-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-aws-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

linux-azure

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-azure-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-azure-edge

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-azure-nvidia

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-bluefield

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-gcp-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-gcp-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-hwe-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-hwe-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-hwe-edge

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-intel-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

plucky	dne
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-lowlatency-hwe-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-lowlatency-hwe-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-lts-xenial

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

linux-nvidia

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-nvidia-lowlatency

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-nvidia-tegra

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-tegra-igx

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-oem

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oem-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oracle

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-oracle-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oracle-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-raspi

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-raspi-realtime

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-raspi2

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-riscv

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-starfive-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/024f4b2e1f874934943eb2d3d288ebc52c79f55c

https://git.kernel.org/stable/c/71d6c33fe223255f4416a01514da2c0bc3e283e7

https://git.kernel.org/stable/c/db66629d43b2d12cb43b004a4ca6be1d03228e97