CVE-2022-49970

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, cgroup: Fix kernel BUG in purge_effective_progs<br /> <br /> Syzkaller reported a triggered kernel BUG as follows:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at kernel/bpf/cgroup.c:925!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0<br /> Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84<br /> 28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 0b 48<br /> 8b 0c5<br /> RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246<br /> RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000<br /> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578<br /> RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000<br /> R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00<br /> FS: 00007f68213d2b80(0000) GS:ffff88813bc80000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0<br /> Call Trace:<br /> <br /> cgroup_bpf_prog_detach+0xcc/0x100<br /> __sys_bpf+0x2273/0x2a00<br /> __x64_sys_bpf+0x17/0x20<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f68214dbcb9<br /> Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89<br /> f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01<br /> f0 ff8<br /> RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141<br /> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9<br /> RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009<br /> RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003<br /> R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20<br /> R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Repetition steps:<br /> <br /> For the following cgroup tree,<br /> <br /> root<br /> |<br /> cg1<br /> |<br /> cg2<br /> <br /> 1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs<br /> attach type is NONE or OVERRIDE.<br /> 2. write 1 to /proc/thread-self/fail-nth for failslab.<br /> 3. detach prog1 for cg1, and then kernel BUG occur.<br /> <br /> Failslab injection will cause kmalloc fail and fall back to<br /> purge_effective_progs. The problem is that cg2 have attached another prog,<br /> so when go through cg2 layer, iteration will add pos to 1, and subsequent<br /> operations will be skipped by the following condition, and cg will meet<br /> NULL in the end.<br /> <br /> `if (pos &amp;&amp; !(cg-&gt;bpf.flags[atype] &amp; BPF_F_ALLOW_MULTI))`<br /> <br /> The NULL cg means no link or prog match, this is as expected, and it&amp;#39;s not<br /> a bug. So here just skip the no match situation.