{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2022-48922",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-08-21T06:06:23.295Z",
        "datePublished": "2024-08-22T01:32:55.803Z",
        "dateUpdated": "2024-09-12T17:33:00.926Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-08-22T03:31:10.831Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix oops caused by irqsoff latency tracer\n\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\nproperly. This because these two functions use macro 'CALLER_ADDR1' (aka.\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\nfor other purpose, the code generated this macro (as below) could trigger\nmemory access fault.\n\n   0xffffffff8011510e <+80>:    ld      a1,-16(s0)\n   0xffffffff80115112 <+84>:    ld      s2,-8(a1)  # <-- paging fault here\n\nThe oops message during booting if compiled with 'irqoff' tracer enabled:\n[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\n[    0.041925][    T0] Oops [#1]\n[    0.042063][    T0] Modules linked in:\n[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\n[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)\n[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2\n[    0.044601][    T0]  ra : restore_all+0x12/0x6e\n[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\n[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\n[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\n[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\n[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\n[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\n[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\n[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\n[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\n[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368\n[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\n[    0.046402][    T0] [<ffffffff80003b94>] restore_all+0x12/0x6e\n\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\nassembly entry code.\n\n\tresume_kernel:\n\t\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\n\t\tbnez s0, restore_all\n\t\tREG_L s0, TASK_TI_FLAGS(tp)\n                andi s0, s0, _TIF_NEED_RESCHED\n                beqz s0, restore_all\n                call preempt_schedule_irq\n                j restore_all\n\nTo fix above issue, here we add one extra level wrapper for function\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\ncode."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/riscv/kernel/Makefile",
                        "arch/riscv/kernel/entry.S",
                        "arch/riscv/kernel/trace_irq.c",
                        "arch/riscv/kernel/trace_irq.h"
                    ],
                    "versions": [
                        {
                            "version": "3c4697982982",
                            "lessThan": "9e2dbc31e367",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "3c4697982982",
                            "lessThan": "1851b9a46706",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "3c4697982982",
                            "lessThan": "b5e180490db4",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "3c4697982982",
                            "lessThan": "22e2100b1b07",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/riscv/kernel/Makefile",
                        "arch/riscv/kernel/entry.S",
                        "arch/riscv/kernel/trace_irq.c",
                        "arch/riscv/kernel/trace_irq.h"
                    ],
                    "versions": [
                        {
                            "version": "5.9",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.9",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.103",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.26",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.16.12",
                            "lessThanOrEqual": "5.16.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.17",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3"
                },
                {
                    "url": "https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f"
                },
                {
                    "url": "https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee"
                },
                {
                    "url": "https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77"
                }
            ],
            "title": "riscv: fix oops caused by irqsoff latency tracer",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2022-48922",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-09-10T15:33:25.364852Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-12T17:33:00.926Z"
                }
            }
        ]
    }
}