Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50069

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
18/06/2025
Last modified:
17/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> BPF: Fix potential bad pointer dereference in bpf_sys_bpf()<br /> <br /> The bpf_sys_bpf() helper function allows an eBPF program to load another<br /> eBPF program from within the kernel. In this case the argument union<br /> bpf_attr pointer (as well as the insns and license pointers inside) is a<br /> kernel address instead of a userspace address (which is the case of a<br /> usual bpf() syscall). To make the memory copying process in the syscall<br /> work in both cases, bpfptr_t was introduced to wrap around the pointer<br /> and distinguish its origin. Specifically, when copying memory contents<br /> from a bpfptr_t, a copy_from_user() is performed in case of a userspace<br /> address and a memcpy() is performed for a kernel address.<br /> <br /> This can lead to problems because the in-kernel pointer is never checked<br /> for validity. The problem happens when an eBPF syscall program tries to<br /> call bpf_sys_bpf() to load a program but provides a bad insns pointer --<br /> say 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()<br /> which would then call bpf_prog_load() to load the program.<br /> bpf_prog_load() is responsible for copying the eBPF instructions to the<br /> newly allocated memory for the program; it creates a kernel bpfptr_t for<br /> insns and invokes copy_from_bpfptr(). Internally, all bpfptr_t<br /> operations are backed by the corresponding sockptr_t operations, which<br /> performs direct memcpy() on kernel pointers for copy_from/strncpy_from<br /> operations. Therefore, the code is always happy to dereference the bad<br /> pointer to trigger a un-handle-able page fault and in turn an oops.<br /> However, this is not supposed to happen because at that point the eBPF<br /> program is already verified and should not cause a memory error.<br /> <br /> Sample KASAN trace:<br /> <br /> [ 25.685056][ T228] ==================================================================<br /> [ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30<br /> [ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228<br /> [ 25.686732][ T228]<br /> [ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7<br /> [ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014<br /> [ 25.687991][ T228] Call Trace:<br /> [ 25.688223][ T228] <br /> [ 25.688429][ T228] dump_stack_lvl+0x73/0x9e<br /> [ 25.688747][ T228] print_report+0xea/0x200<br /> [ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30<br /> [ 25.689401][ T228] ? _printk+0x54/0x6e<br /> [ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0<br /> [ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30<br /> [ 25.690412][ T228] kasan_report+0xb5/0xe0<br /> [ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30<br /> [ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0<br /> [ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30<br /> [ 25.691734][ T228] memcpy+0x25/0x60<br /> [ 25.692000][ T228] copy_from_bpfptr+0x21/0x30<br /> [ 25.692328][ T228] bpf_prog_load+0x604/0x9e0<br /> [ 25.692653][ T228] ? cap_capable+0xb4/0xe0<br /> [ 25.692956][ T228] ? security_capable+0x4f/0x70<br /> [ 25.693324][ T228] __sys_bpf+0x3af/0x580<br /> [ 25.693635][ T228] bpf_sys_bpf+0x45/0x240<br /> [ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd<br /> [ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0<br /> [ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0<br /> [ 25.695144][ T228] bpf_prog_test_run+0x172/0x190<br /> [ 25.695487][ T228] __sys_bpf+0x2c5/0x580<br /> [ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50<br /> [ 25.696084][ T228] do_syscall_64+0x60/0x90<br /> [ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60<br /> [ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0<br /> [ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40<br /> [ 25.697586][ T228] ? do_syscall_64+0x6e/0x90<br /> [ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 25.698312][ T228] RIP: 0033:0x7f6d543fb759<br /> [ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d <br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.14 (including) 5.15.63 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.19.4 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools