CVE-2022-49341
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
21/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf, arm64: Clear prog->jited_len along prog->jited<br />
<br />
syzbot reported an illegal copy_to_user() attempt<br />
from bpf_prog_get_info_by_fd() [1]<br />
<br />
There was no repro yet on this bug, but I think<br />
that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")<br />
is exposing a prior bug in bpf arm64.<br />
<br />
bpf_prog_get_info_by_fd() looks at prog->jited_len<br />
to determine if the JIT image can be copied out to user space.<br />
<br />
My theory is that syzbot managed to get a prog where prog->jited_len<br />
has been set to 43, while prog->bpf_func has ben cleared.<br />
<br />
It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering<br />
this particular warning.<br />
<br />
I thought find_vma_area(NULL) would not find a vm_struct.<br />
As we do not hold vmap_area_lock spinlock, it might be possible<br />
that the found vm_struct was garbage.<br />
<br />
[1]<br />
usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!<br />
kernel BUG at mm/usercopy.c:101!<br />
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP<br />
Modules linked in:<br />
CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0<br />
Hardware name: linux,dummy-virt (DT)<br />
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101<br />
lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89<br />
sp : ffff80000b773a20<br />
x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48<br />
x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000<br />
x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001<br />
x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd<br />
x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420<br />
x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031<br />
x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865<br />
x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830<br />
x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000<br />
x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064<br />
Call trace:<br />
usercopy_abort+0x90/0x94 mm/usercopy.c:89<br />
check_heap_object mm/usercopy.c:186 [inline]<br />
__check_object_size mm/usercopy.c:252 [inline]<br />
__check_object_size+0x198/0x36c mm/usercopy.c:214<br />
check_object_size include/linux/thread_info.h:199 [inline]<br />
check_copy_size include/linux/thread_info.h:235 [inline]<br />
copy_to_user include/linux/uaccess.h:159 [inline]<br />
bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993<br />
bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253<br />
__sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956<br />
__do_sys_bpf kernel/bpf/syscall.c:5021 [inline]<br />
__se_sys_bpf kernel/bpf/syscall.c:5019 [inline]<br />
__arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019<br />
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]<br />
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52<br />
el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142<br />
do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206<br />
el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624<br />
el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642<br />
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581<br />
Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.16 (including) | 4.19.247 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.198 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.122 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.47 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.17.15 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18 (including) | 5.18.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0cf7aaff290cdc4d7cee683d4a18138b0dacac48
- https://git.kernel.org/stable/c/10f3b29c65bb2fe0d47c2945cd0b4087be1c5218
- https://git.kernel.org/stable/c/3f4d5e727aeaa610688d46c9f101f78b7f712583
- https://git.kernel.org/stable/c/41f7c4f85d402043687e863627a1a84fa867c62d
- https://git.kernel.org/stable/c/5c25a3040bc0486c41a7b63a1fb0de7cdb846ad7
- https://git.kernel.org/stable/c/aaf61a312af63e1cfe2264c4c5b8cd4ea3626025
- https://git.kernel.org/stable/c/e412b3d178ea4bf746f6b8ee086761613704c6be