CVE-2022-48929

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to out of bounds access into reg2btf_ids. When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier reg type to the appropriate btf_vmlinux BTF ID, however commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL") moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after the base register types, and defined other variants using type flag composition. However, now, the direct usage of reg->type to index into reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to out of bounds access and kernel crash on dereference of bad pointer.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1	Patch
https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae	Patch
https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-08-22 04:15

Updated : 2024-08-23 02:00

NVD link : CVE-2022-48929

Mitre link : CVE-2022-48929

CVE.ORG link : CVE-2022-48929

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2022-48929", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-22T04:15:15.773", "references": [{"url": "https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: Se corrigi\u00f3 el bloqueo debido al acceso fuera de los l\u00edmites a reg2btf_ids. Cuando el commit e6ac2450d6de (\"bpf: admite la funci\u00f3n del kernel que llama al programa bpf\") agreg\u00f3 soporte para kfunc, defini\u00f3 reg2btf_ids como una forma econ\u00f3mica de traducir el tipo de registro del verificador al ID de BTF btf_vmlinux apropiado; sin embargo, commit c25b2ae13603 (\"bpf: reemplace PTR_TO_XXX_OR_NULL con PTR_TO_XXX | PTR_MAYBE_NULL\") movi\u00f3 __BPF_REG_TYPE_MAX del \u00faltimo miembro de la enumeraci\u00f3n bpf_reg_type a despu\u00e9s de los tipos de registro base y defini\u00f3 otras variantes utilizando la composici\u00f3n de indicadores de tipo. Sin embargo, ahora, el uso directo de reg->type para indexar en reg2btf_ids ya no puede caer en el rango __BPF_REG_TYPE_MAX y, por lo tanto, provocar un acceso fuera de los l\u00edmites y un bloqueo del kernel al desreferenciar un puntero incorrecto."}], "lastModified": "2024-08-23T02:00:22.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEB734DF-768A-48DC-8983-4ED1A0CA1A3D", "versionEndExcluding": "5.15.37", "versionStartIncluding": "5.15.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4368C931-8568-4F36-A74D-8E41781257A6", "versionEndExcluding": "5.16.12", "versionStartIncluding": "5.16.1"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}