{"id":"CVE-2022-50078","summary":"tracing/eprobes: Do not allow eprobes to use $stack, or % for regs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/eprobes: Do not allow eprobes to use $stack, or % for regs\n\nWhile playing with event probes (eprobes), I tried to see what would\nhappen if I attempted to retrieve the instruction pointer (%rip) knowing\nthat event probes do not use pt_regs. The result was:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000024\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 1847 Comm: trace-cmd Not tainted 5.19.0-rc5-test+ #309\n Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01\nv03.03 07/14/2016\n RIP: 0010:get_event_field.isra.0+0x0/0x50\n Code: ff 48 c7 c7 c0 8f 74 a1 e8 3d 8b f5 ff e8 88 09 f6 ff 4c 89 e7 e8\n50 6a 13 00 48 89 ef 5b 5d 41 5c 41 5d e9 42 6a 13 00 66 90 \u003c48\u003e 63 47 24\n8b 57 2c 48 01 c6 8b 47 28 83 f8 02 74 0e 83 f8 04 74\n RSP: 0018:ffff916c394bbaf0 EFLAGS: 00010086\n RAX: ffff916c854041d8 RBX: ffff916c8d9fbf50 RCX: ffff916c255d2000\n RDX: 0000000000000000 RSI: ffff916c255d2008 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff916c3a2a0c08 R09: ffff916c394bbda8\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff916c854041d8\n R13: ffff916c854041b0 R14: 0000000000000000 R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff916c9ea40000(0000)\nknlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000024 CR3: 000000011b60a002 CR4: 00000000001706e0\n Call Trace:\n  \u003cTASK\u003e\n  get_eprobe_size+0xb4/0x640\n  ? __mod_node_page_state+0x72/0xc0\n  __eprobe_trace_func+0x59/0x1a0\n  ? __mod_lruvec_page_state+0xaa/0x1b0\n  ? page_remove_file_rmap+0x14/0x230\n  ? page_remove_rmap+0xda/0x170\n  event_triggers_call+0x52/0xe0\n  trace_event_buffer_commit+0x18f/0x240\n  trace_event_raw_event_sched_wakeup_template+0x7a/0xb0\n  try_to_wake_up+0x260/0x4c0\n  __wake_up_common+0x80/0x180\n  __wake_up_common_lock+0x7c/0xc0\n  do_notify_parent+0x1c9/0x2a0\n  exit_notify+0x1a9/0x220\n  do_exit+0x2ba/0x450\n  do_group_exit+0x2d/0x90\n  __x64_sys_exit_group+0x14/0x20\n  do_syscall_64+0x3b/0x90\n  entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nObviously this is not the desired result.\n\nMove the testing for TPARG_FL_TPOINT which is only used for event probes\nto the top of the \"$\" variable check, as all the other variables are not\nused for event probes. Also add a check in the register parsing \"%\" to\nfail if an event probe is used.","modified":"2026-04-02T08:28:12.270007Z","published":"2025-06-18T11:02:21.119Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50078.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2673c60ee67e71f2ebe34386e62d348f71edee47"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c262114a576d94c0ced80e232bbb17391a55908"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba53c21ce9773743b8e0a8ada048c96ff2d55c67"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50078.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50078"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7491e2c442781a1860181adb5ab472a52075f393"},{"fixed":"ba53c21ce9773743b8e0a8ada048c96ff2d55c67"},{"fixed":"7c262114a576d94c0ced80e232bbb17391a55908"},{"fixed":"2673c60ee67e71f2ebe34386e62d348f71edee47"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50078.json"}}],"schema_version":"1.7.5"}