{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49889", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.242Z", "datePublished": "2025-05-01T14:10:33.832Z", "dateUpdated": "2025-05-04T12:45:21.932Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:45:21.932Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()\n\nOn some machines the number of listed CPUs may be bigger than the actual\nCPUs that exist. The tracing subsystem allocates a per_cpu directory with\naccess to the per CPU ring buffer via a cpuX file. But to save space, the\nring buffer will only allocate buffers for online CPUs, even though the\nCPU array will be as big as the nr_cpu_ids.\n\nWith the addition of waking waiters on the ring buffer when closing the\nfile, the ring_buffer_wake_waiters() now needs to make sure that the\nbuffer is allocated (with the irq_work allocated with it) before trying to\nwake waiters, as it will cause a NULL pointer dereference.\n\nWhile debugging this, I added a NULL check for the buffer itself (which is\nOK to do), and also NULL pointer checks against buffer->buffers (which is\nnot fine, and will WARN) as well as making sure the CPU number passed in\nis within the nr_cpu_ids (which is also not fine if it isn't).\n\n\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "2475de2bc0de17fb1b24c5e90194f84b5ca70d3e", "lessThan": "b5074df412bf3df9d6ce096b6fa03eb1082d05c9", "status": "affected", "versionType": "git"}, {"version": "f4f15344110d0b5b8822ac97bc8200e71939c945", "lessThan": "49ca992f6e50d0f46ec9608f44e011cf3121f389", "status": "affected", "versionType": "git"}, {"version": "f3ddb74ad0790030c9592229fb14d8c451f4e9a8", "lessThan": "7433632c9ff68a991bd0bc38cabf354e9d2de410", "status": "affected", "versionType": "git"}, {"version": "5544f411a4e8bc39e6a444badbac37dd0e0caf0a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "5.15.75", "lessThan": "5.15.78", "status": "affected", "versionType": "semver"}, {"version": "6.0.3", "lessThan": "6.0.8", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.75", "versionEndExcluding": "5.15.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.3", "versionEndExcluding": "6.0.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5074df412bf3df9d6ce096b6fa03eb1082d05c9"}, {"url": "https://git.kernel.org/stable/c/49ca992f6e50d0f46ec9608f44e011cf3121f389"}, {"url": "https://git.kernel.org/stable/c/7433632c9ff68a991bd0bc38cabf354e9d2de410"}], "title": "ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4CB2AAA-62E0-462D-A82C-B508C89FE544", "versionEndExcluding": "5.15.78", "versionStartIncluding": "5.15.75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6817F83D-0EC4-49B2-AAB2-1836D288AE4E", "versionEndExcluding": "6.0", "versionStartIncluding": "5.19.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D03DFBA-5776-42FE-83ED-12B26DA723B5", "versionEndExcluding": "6.0.8", "versionStartIncluding": "6.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()\n\nOn some machines the number of listed CPUs may be bigger than the actual\nCPUs that exist. The tracing subsystem allocates a per_cpu directory with\naccess to the per CPU ring buffer via a cpuX file. But to save space, the\nring buffer will only allocate buffers for online CPUs, even though the\nCPU array will be as big as the nr_cpu_ids.\n\nWith the addition of waking waiters on the ring buffer when closing the\nfile, the ring_buffer_wake_waiters() now needs to make sure that the\nbuffer is allocated (with the irq_work allocated with it) before trying to\nwake waiters, as it will cause a NULL pointer dereference.\n\nWhile debugging this, I added a NULL check for the buffer itself (which is\nOK to do), and also NULL pointer checks against buffer->buffers (which is\nnot fine, and will WARN) as well as making sure the CPU number passed in\nis within the nr_cpu_ids (which is also not fine if it isn't).\n\n\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: Comprobar si hay un cpu_buffer nulo en ring_buffer_wake_waiters() En algunas m\u00e1quinas, el n\u00famero de CPU listadas puede ser mayor que el de CPU reales existentes. El subsistema de rastreo asigna un directorio per_cpu con acceso al b\u00fafer de anillo por CPU a trav\u00e9s de un archivo cpuX. Pero para ahorrar espacio, el b\u00fafer de anillo solo asignar\u00e1 b\u00faferes para las CPU en l\u00ednea, aunque la matriz de CPU ser\u00e1 tan grande como nr_cpu_ids. Con la adici\u00f3n de despertar a los que esperan en el b\u00fafer de anillo al cerrar el archivo, ring_buffer_wake_waiters() ahora debe asegurarse de que el b\u00fafer est\u00e9 asignado (con el irq_work asignado con \u00e9l) antes de intentar despertar a los que esperan, ya que provocar\u00e1 una desreferencia de puntero nulo. Durante la depuraci\u00f3n, a\u00f1ad\u00ed una comprobaci\u00f3n de valores nulos para el propio b\u00fafer (lo cual es correcto), as\u00ed como comprobaciones de punteros nulos contra buffer->buffers (lo cual no es correcto y generar\u00e1 una advertencia), adem\u00e1s de asegurarme de que el n\u00famero de CPU introducido est\u00e9 dentro del nr_cpu_ids (lo cual tampoco es correcto si no lo est\u00e1). Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705"}], "id": "CVE-2022-49889", "lastModified": "2025-05-07T13:19:59.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T15:16:13.897", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/49ca992f6e50d0f46ec9608f44e011cf3121f389"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7433632c9ff68a991bd0bc38cabf354e9d2de410"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5074df412bf3df9d6ce096b6fa03eb1082d05c9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()", "id": "2363445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363445"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()\nOn some machines the number of listed CPUs may be bigger than the actual\nCPUs that exist. The tracing subsystem allocates a per_cpu directory with\naccess to the per CPU ring buffer via a cpuX file. But to save space, the\nring buffer will only allocate buffers for online CPUs, even though the\nCPU array will be as big as the nr_cpu_ids.\nWith the addition of waking waiters on the ring buffer when closing the\nfile, the ring_buffer_wake_waiters() now needs to make sure that the\nbuffer is allocated (with the irq_work allocated with it) before trying to\nwake waiters, as it will cause a NULL pointer dereference.\nWhile debugging this, I added a NULL check for the buffer itself (which is\nOK to do), and also NULL pointer checks against buffer->buffers (which is\nnot fine, and will WARN) as well as making sure the CPU number passed in\nis within the nr_cpu_ids (which is also not fine if it isn't).\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705"], "name": "CVE-2022-49889", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49889\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49889\nhttps://lore.kernel.org/linux-cve-announce/2025050157-CVE-2022-49889-ff97@gregkh/T"], "threat_severity": "Moderate"}