{ "threat_severity" : "Low", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: tracing/histograms: Fix memory leak problem", "id" : "2348279", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348279" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-401", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntracing/histograms: Fix memory leak problem\nThis reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.\nAs commit 46bbe5c671e0 (\"tracing: fix double free\") said, the\n\"double free\" problem reported by clang static analyzer is:\n> In parse_var_defs() if there is a problem allocating\n> var_defs.expr, the earlier var_defs.name is freed.\n> This free is duplicated by free_var_defs() which frees\n> the rest of the list.\nHowever, if there is a problem allocating N-th var_defs.expr:\n+ in parse_var_defs(), the freed 'earlier var_defs.name' is\nactually the N-th var_defs.name;\n+ then in free_var_defs(), the names from 0th to (N-1)-th are freed;\nIF ALLOCATING PROBLEM HAPPENED HERE!!! -+\n\\\n|\n0th 1th (N-1)-th N-th V\n+-------------+-------------+-----+-------------+-----------\nvar_defs: | name | expr | name | expr | ... | name | expr | name | ///\n+-------------+-------------+-----+-------------+-----------\nThese two frees don't act on same name, so there was no \"double free\"\nproblem before. Conversely, after that commit, we get a \"memory leak\"\nproblem because the above \"N-th var_defs.name\" is not freed.\nIf enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th\nvar_defs.expr allocated, then execute on shell like:\n$ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \\\n/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger\nThen kmemleak reports:\nunreferenced object 0xffff8fb100ef3518 (size 8):\ncomm \"bash\", pid 196, jiffies 4295681690 (age 28.538s)\nhex dump (first 8 bytes):\n76 31 00 00 b1 8f ff ff v1......\nbacktrace:\n[<0000000038fe4895>] kstrdup+0x2d/0x60\n[<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0\n[<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110\n[<0000000066737a4c>] event_trigger_write+0x75/0xd0\n[<000000007341e40c>] vfs_write+0xbb/0x2a0\n[<0000000087fde4c2>] ksys_write+0x59/0xd0\n[<00000000581e9cdf>] do_syscall_64+0x3a/0x80\n[<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49648\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49648\nhttps://lore.kernel.org/linux-cve-announce/2025022620-CVE-2022-49648-ffaa@gregkh/T" ], "name" : "CVE-2022-49648", "csaw" : false }