Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49764

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
02/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Prevent bpf program recursion for raw tracepoint probes<br /> <br /> We got report from sysbot [1] about warnings that were caused by<br /> bpf program attached to contention_begin raw tracepoint triggering<br /> the same tracepoint by using bpf_trace_printk helper that takes<br /> trace_printk_lock lock.<br /> <br /> Call Trace:<br /> <br /> ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90<br /> bpf_trace_printk+0x2b/0xe0<br /> bpf_prog_a9aec6167c091eef_prog+0x1f/0x24<br /> bpf_trace_run2+0x26/0x90<br /> native_queued_spin_lock_slowpath+0x1c6/0x2b0<br /> _raw_spin_lock_irqsave+0x44/0x50<br /> bpf_trace_printk+0x3f/0xe0<br /> bpf_prog_a9aec6167c091eef_prog+0x1f/0x24<br /> bpf_trace_run2+0x26/0x90<br /> native_queued_spin_lock_slowpath+0x1c6/0x2b0<br /> _raw_spin_lock_irqsave+0x44/0x50<br /> bpf_trace_printk+0x3f/0xe0<br /> bpf_prog_a9aec6167c091eef_prog+0x1f/0x24<br /> bpf_trace_run2+0x26/0x90<br /> native_queued_spin_lock_slowpath+0x1c6/0x2b0<br /> _raw_spin_lock_irqsave+0x44/0x50<br /> bpf_trace_printk+0x3f/0xe0<br /> bpf_prog_a9aec6167c091eef_prog+0x1f/0x24<br /> bpf_trace_run2+0x26/0x90<br /> native_queued_spin_lock_slowpath+0x1c6/0x2b0<br /> _raw_spin_lock_irqsave+0x44/0x50<br /> __unfreeze_partials+0x5b/0x160<br /> ...<br /> <br /> The can be reproduced by attaching bpf program as raw tracepoint on<br /> contention_begin tracepoint. The bpf prog calls bpf_trace_printk<br /> helper. Then by running perf bench the spin lock code is forced to<br /> take slow path and call contention_begin tracepoint.<br /> <br /> Fixing this by skipping execution of the bpf program if it&amp;#39;s<br /> already running, Using bpf prog &amp;#39;active&amp;#39; field, which is being<br /> currently used by trampoline programs for the same reason.<br /> <br /> Moving bpf_prog_inc_misses_counter to syscall.c because<br /> trampoline.c is compiled in just for CONFIG_BPF_JIT option.<br /> <br /> [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t

Impact

References to Advisories, Solutions, and Tools