Wind River Support Network

HomeDefectsLIN1022-19734

Fixed

LIN1022-19734 : Security Advisory - linux - CVE-2022-50635

Created: Dec 9, 2025 Updated: Dec 11, 2025

Resolved Date: Dec 9, 2025

Found In Version: 10.22.33.1

Fix Version: 10.22.33.3

Severity: Standard

Applicable for: Wind River Linux LTS 22

Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe():  # echo 'p cmdline_proc_show' > kprobe_events  # echo 'p cmdline_proc_show+16' >> kprobe_events  Kernel attempted to read user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on read at 0x00000000  Faulting instruction address: 0xc000000000050bfc  Oops: Kernel access of bad area, sig: 11 [#1]  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV  Modules linked in:  CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10  NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc  REGS: c0000000348475b0 TRAP: 0300  Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)  MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006  CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0  ...  NIP arch_prepare_kprobe+0x10c/0x2d0  LR arch_prepare_kprobe+0xfc/0x2d0  Call Trace:   0xc0000000012f77a0 (unreliable)   register_kprobe+0x3c0/0x7a0   __register_trace_kprobe+0x140/0x1a0   __trace_kprobe_create+0x794/0x1040   trace_probe_create+0xc4/0xe0   create_or_delete_trace_kprobe+0x2c/0x80   trace_parse_run_command+0xf0/0x210   probes_write+0x20/0x40   vfs_write+0xfc/0x450   ksys_write+0x84/0x140   system_call_exception+0x17c/0x3a0   system_call_vectored_common+0xe8/0x278  --- interrupt: 3000 at 0x7fffa5682de0  NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000  REGS: c000000034847e80 TRAP: 3000  Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)  MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000 The address being probed has some special:  cmdline_proc_show: Probe based on ftrace  cmdline_proc_show+16: Probe for the next instruction at the ftrace location The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for:  ...  prev = get_kprobe(p->addr - 1);  preempt_enable_no_resched();  if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {  ... If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped. Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem. [mpe: Trim oops]

CVEs

CVE-2022-50635