CVE-2022-50008

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.19.0+

Description A vulnerability in the Linux kernel has been identified, where the assumption in disable kprobe() is incorrect, leading to an attempt to disarm an already disarmed kprobe and triggering a WARN ONCE() warning. This issue can be reproduced by writing 0 to /sys/kernel/debug/kprobes/enabled, running execsnoop, and then writing 1 to /sys/kernel/debug/kprobes/enabled. The vulnerability can cause an infinite loop, resulting in RCU stall or soft lockup, when commands like cat /sys/kernel/debug/kprobes/list or /usr/share/bcc/tools/execsnoop are executed.

Recommendations To resolve the issue, ensure that disarm kprobe() is not called for disabled kprobes. For Linux kernel versions prior to 5.19.0+, update to a newer version that includes the fix for this issue. As a temporary workaround, consider disabling the disable kprobe() function until a patch is available. Restrict access to the /sys/kernel/debug/kprobes/enabled file to minimize the risk of exploitation. Avoid using the kprobes feature in the affected Linux kernel versions until the issue is resolved.