CVE-2022-49985

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Don&amp;#39;t use tnum_range on array range checking for poke descriptors<br /> <br /> Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which<br /> is based on a customized syzkaller:<br /> <br /> BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0<br /> Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489<br /> CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.13.0-1ubuntu1.1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x9c/0xc9<br /> print_address_description.constprop.0+0x1f/0x1f0<br /> ? bpf_int_jit_compile+0x1257/0x13f0<br /> kasan_report.cold+0xeb/0x197<br /> ? kvmalloc_node+0x170/0x200<br /> ? bpf_int_jit_compile+0x1257/0x13f0<br /> bpf_int_jit_compile+0x1257/0x13f0<br /> ? arch_prepare_bpf_dispatcher+0xd0/0xd0<br /> ? rcu_read_lock_sched_held+0x43/0x70<br /> bpf_prog_select_runtime+0x3e8/0x640<br /> ? bpf_obj_name_cpy+0x149/0x1b0<br /> bpf_prog_load+0x102f/0x2220<br /> ? __bpf_prog_put.constprop.0+0x220/0x220<br /> ? find_held_lock+0x2c/0x110<br /> ? __might_fault+0xd6/0x180<br /> ? lock_downgrade+0x6e0/0x6e0<br /> ? lock_is_held_type+0xa6/0x120<br /> ? __might_fault+0x147/0x180<br /> __sys_bpf+0x137b/0x6070<br /> ? bpf_perf_link_attach+0x530/0x530<br /> ? new_sync_read+0x600/0x600<br /> ? __fget_files+0x255/0x450<br /> ? lock_downgrade+0x6e0/0x6e0<br /> ? fput+0x30/0x1a0<br /> ? ksys_write+0x1a8/0x260<br /> __x64_sys_bpf+0x7a/0xc0<br /> ? syscall_enter_from_user_mode+0x21/0x70<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f917c4e2c2d<br /> <br /> The problem here is that a range of tnum_range(0, map-&gt;max_entries - 1) has<br /> limited ability to represent the concrete tight range with the tnum as the<br /> set of resulting states from value + mask can result in a superset of the<br /> actual intended range, and as such a tnum_in(range, reg-&gt;var_off) check may<br /> yield true when it shouldn&amp;#39;t, for example tnum_range(0, 2) would result in<br /> 00XX -&gt; v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here<br /> represented by a less precise superset of {0, 1, 2, 3}. As the register is<br /> known const scalar, really just use the concrete reg-&gt;var_off.value for the<br /> upper index check.