CVE-2022-49548

bpf: Fix potential array overflow in bpf_trampoline_get_progs()

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not
include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of
the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline
can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in
bpf_trampoline_get_progs() will cause progs array overflow as the
progs field in the bpf_tramp_progs struct can only hold at most
BPF_MAX_TRAMP_PROGS bpf programs.

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in bpf_trampoline_get_progs() will cause progs array overflow as the progs field in the bpf_tramp_progs struct can only hold at most BPF_MAX_TRAMP_PROGS bpf programs.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
2025-02-27 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/88fd9e5352fe05f7fe57778293aebd4cd106960b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7f845de2863334bed4f362e95853f5e7bc323737	2022-06-06
https://git.kernel.org/stable/c/e36452d5da6325df7c10cffc60a9e68d21e2606d	2022-06-06
https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc	2022-06-06
https://git.kernel.org/stable/c/4f8897bcc20b9ae44758e0572538d741ab66f0dc	2022-06-06
https://git.kernel.org/stable/c/a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d	2022-05-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.15.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.45"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.17.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.17.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.18.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.18.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.19"		en		Affected