CVE-2022-50862

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: prevent decl_tag from being referenced in func_proto<br /> <br /> Syzkaller was able to hit the following issue:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946<br /> btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946<br /> Modules linked in:<br /> CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted<br /> 6.0.0-syzkaller-02734-g0326074ff465 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS<br /> Google 09/22/2022<br /> RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946<br /> Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91<br /> e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff 0b 45<br /> 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44<br /> RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000<br /> RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005<br /> RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e<br /> R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000<br /> R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011<br /> FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> btf_func_proto_check kernel/bpf/btf.c:4447 [inline]<br /> btf_check_all_types kernel/bpf/btf.c:4723 [inline]<br /> btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]<br /> btf_parse kernel/bpf/btf.c:5026 [inline]<br /> btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892<br /> bpf_btf_load kernel/bpf/syscall.c:4324 [inline]<br /> __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010<br /> __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]<br /> __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f0fbae41c69<br /> Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89<br /> f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01<br /> f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69<br /> RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012<br /> RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> Looks like it tries to create a func_proto which return type is<br /> decl_tag. For the details, see Martin&amp;#39;s spot on analysis in [0].<br /> <br /> 0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c