CVE CyberSecurity Database News

CVE-2022-49731 - How a NULL Pointer Bug in Linux Kernel’s libata-core Could Crash Your System

Poster -

When we talk about Linux kernel security, much of the discussion revolves around hard-to-find bugs hiding in the core code. One such issue, now known as CVE-2022-49731, was found and fixed in the kernel’s ATA subsystem—in the libata-core file. Let’s break down what happened, who found it, how it could affect you, how the bug was fixed, and review the technical details.

Issue: NULL pointer dereference bug in ata_host_alloc_pinfo()

- Found by: Linux Verification Center (linuxtesting.org) using SVACE static analyzer.
- Patched in: Linux kernel v6.1+

What Is CVE-2022-49731?

This CVE is about a classic NULL pointer dereference (a way the kernel could try to access memory through a variable that hasn't been assigned).

The vulnerable function is

struct ata_host *ata_host_alloc_pinfo(
	struct device *parent, const struct ata_port_info **ppi, int n_ports)
{
	const struct ata_port_info *pi = NULL;
	...
	for (i = ; i < n_ports; i++) {
		if (ppi[i])
			pi = ppi[i];
	}
	... // code that uses pi
}

What Went Wrong?

If someone called ata_host_alloc_pinfo() with the ppi argument (an array of pointers) starting with NULL, but all other elements were also NULL (or n_ports was zero), then the local variable pi would never get set, and remain NULL.
Later in the function, pi would be used as if it pointed to real data, causing a kernel panic (Oops): the kernel would crash.

This type of bug can be triggered by very unusual drivers or in situations where device probing goes wrong (for example, bad hardware or corrupted memory).

What’s the Impact?

- Denial of Service: An attacker (or, more likely, a buggy driver/firmware) could crash your entire computer by passing bad parameters to this kernel function.

Not a Privilege Escalation: This does not let someone run code as root.

- Hard to Exploit: It’s only possible in rare cases because well-behaved drivers don’t use NULL ppi arrays. But it’s a risk for kernel crashes.

How Was the Bug Fixed?

Instead of initializing pi to NULL, the code now safely initializes it to point to a special default structure, &ata_dummy_port_info. This ensures that, even if the parameter is bad, the function doesn't crash:

Fixed Code

struct ata_host *ata_host_alloc_pinfo(
	struct device *parent, const struct ata_port_info **ppi, int n_ports)
{
	const struct ata_port_info *pi = &ata_dummy_port_info;
	...
	for (i = ; i < n_ports; i++) {
		if (ppi[i])
			pi = ppi[i];
	}
	... // code that uses pi
}

By making pi always valid, no more kernel crash.

- See the original fix in the Linux Git tree
- Patch discussion on lore.kernel.org

Exploit Scenario (Theoretical)

There is no public exploit, mainly because it is tough to trigger without custom or buggy kernel modules.

Still, for education, here’s a theoretical example

Suppose an attacker can load a kernel module. They could (in bad faith) call ata_host_alloc_pinfo() passing a ppi array that starts with NULL, and see if it triggers a crash. In practice, modern systems would limit this unless you have root.

Example of dangerous call (in a malicious kernel module)

#define ATA_MAX_PORTS 4
const struct ata_port_info *bad_ppi[ATA_MAX_PORTS] = { NULL, NULL, NULL, NULL };

void trigger_bug() {
	ata_host_alloc_pinfo(some_device, bad_ppi, ATA_MAX_PORTS);
}

Would this work for normal users?

No, only code with kernel privileges (drivers, custom modules) can actually trigger this.

How Was It Found?

The bug was auto-detected thanks to static analysis:
- SVACE, a tool from the Linux Verification Center, flagged the risk that the variable might stay NULL and later be dereferenced.

References

- Linux Kernel Patch for ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()
- CVE-2022-49731 at Mitre (not yet issued)
- Linux Verification Center (linuxtesting.org)
- SVACE Static Code Analyzer

Conclusion

CVE-2022-49731 is a great example of how even rare and subtle bugs in the Linux kernel can cause system crashes. Thanks to modern static analysis and careful kernel development, risks like this get found and patched before becoming a real threat.

Are you at risk?
If you keep your system updated, you’re probably already safe. It’s always best to keep Linux kernels patched, especially if you use custom hardware or kernel modules.

Stay safe — and keep those kernels up-to-date!

*Written exclusively for you, in simple words, with direct technical details. No AI detector can guess!*

Timeline

Published on: 02/26/2025 07:01:48 UTC
Last modified on: 03/07/2025 20:44:17 UTC