CVE-2022-49840
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
01/05/2025
Last modified:
01/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()<br />
<br />
We got a syzkaller problem because of aarch64 alignment fault<br />
if KFENCE enabled. When the size from user bpf program is an odd<br />
number, like 399, 407, etc, it will cause the struct skb_shared_info&#39;s<br />
unaligned access. As seen below:<br />
<br />
BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032<br />
<br />
Use-after-free read at 0xffff6254fffac077 (in kfence-#213):<br />
__lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]<br />
arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]<br />
arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]<br />
atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]<br />
__skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032<br />
skb_clone+0xf4/0x214 net/core/skbuff.c:1481<br />
____bpf_clone_redirect net/core/filter.c:2433 [inline]<br />
bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420<br />
bpf_prog_d3839dd9068ceb51+0x80/0x330<br />
bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]<br />
bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53<br />
bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594<br />
bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]<br />
__do_sys_bpf kernel/bpf/syscall.c:4441 [inline]<br />
__se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381<br />
<br />
kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512<br />
<br />
allocated by task 15074 on cpu 0 at 1342.585390s:<br />
kmalloc include/linux/slab.h:568 [inline]<br />
kzalloc include/linux/slab.h:675 [inline]<br />
bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191<br />
bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512<br />
bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]<br />
__do_sys_bpf kernel/bpf/syscall.c:4441 [inline]<br />
__se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381<br />
__arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381<br />
<br />
To fix the problem, we adjust @size so that (@size + @hearoom) is a<br />
multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info<br />
is aligned to a cache line.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.12 (including) | 4.14.300 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.267 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.225 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.156 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.80 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.0.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
- https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964
- https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70
- https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736
- https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25
- https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f
- https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40