CVE-2022-50812

Vulnerability

The Linux kernel's CONFIG_ZERO_CALL_USED_REGS feature, which zeroes caller-saved registers to reduce information leaks, is implemented via the compiler flag -fzero-call-used-regs. A bug in clang's implementation of this flag prior to version 15.0.7 (and fixed in the upcoming 16.0.0) can cause the compiler to generate code that leads to NULL pointer dereferences. The vulnerability is not in the kernel itself, but in the toolchain interaction: the kernel's config option permitted the use of the broken clang version.

Exploitation

No special network position or authentication is required for the bug to manifest; the flaw would be triggered whenever the kernel is compiled with a vulnerable clang (versions <=15.0.6) and the CONFIG_ZERO_CALL_USED_REGS option enabled. The resulting kernel would contain compiled code that dereferences a NULL pointer during certain execution paths, likely causing a denial of service (kernel panic) or potentially allowing privilege escalation if the NULL dereference is exploitable.

Impact

An attacker who can run code on a system with such a compiled kernel, or who can trigger the vulnerable code path (e.g., via a system call), could cause a kernel crash. In more severe cases, the NULL pointer dereference might be leveraged for arbitrary code execution, depending on the specific memory layout and kernel hardening.

Mitigation

The Linux kernel commit restricts CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a supported GCC version or clang newer than 15.0.6. Distributions that ship kernel builds should ensure they use a fixed clang (≥15.0.7 or ≥16.0.0) or GCC. End users can verify their compiler version and avoid enabling the feature with vulnerable toolchains. This fix has been backported to stable kernel releases [1][2].