CVE-2022-49658

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals<br /> <br /> Kuee reported a corner case where the tnum becomes constant after the call<br /> to __reg_bound_offset(), but the register&amp;#39;s bounds are not, that is, its<br /> min bounds are still not equal to the register&amp;#39;s max bounds.<br /> <br /> This in turn allows to leak pointers through turning a pointer register as<br /> is into an unknown scalar via adjust_ptr_min_max_vals().<br /> <br /> Before:<br /> <br /> func#0 @0<br /> 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))<br /> 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))<br /> 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))<br /> 2: (87) r3 = -r3 ; R3_w=scalar()<br /> 3: (87) r3 = -r3 ; R3_w=scalar()<br /> 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)<br /> 5: (75) if r3 s&gt;= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)<br /> 6: (95) exit<br /> <br /> from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))<br /> 7: (d5) if r3 s