CVE-2022-48929

bpf: Fix crash due to out of bounds access into reg2btf_ids.

Severity Score

6.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix crash due to out of bounds access into reg2btf_ids.

When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.

*Credits: N/A

CVSS Scores

Red Hatv3.1 6.7

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-21 CVE Reserved
2024-08-22 CVE Published
2024-08-23 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/e8efe8369944c6199f124e3b50662ad05a048b60	Vuln. Introduced
https://git.kernel.org/stable/c/931e56be527fb2672556e3c00c57ff2a5f5de43e	Vuln. Introduced
https://git.kernel.org/stable/c/35ab8c9085b0af847df7fac9571ccd26d9f0f513	Vuln. Introduced
https://git.kernel.org/stable/c/77459bc4d5e2c6f24db845780b4d9d60cf82d06a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae	2022-05-01
https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc	2022-03-02
https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1	2022-02-16

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-48929	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2307185	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.15 < 5.15.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.15 < 5.15.37"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16.1 < 5.16.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16.1 < 5.16.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.92 Search vendor "Linux" for product "Linux Kernel" and version "5.10.92"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.16.11 Search vendor "Linux" for product "Linux Kernel" and version "5.16.11"		en		Affected