CVE-2022-49961

{"id": "CVE-2022-49961", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:23.347", "references": [{"url": "https://git.kernel.org/stable/c/2459615a8d7f44ac81f0965bc094e55ccb254717", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2fc31465c5373b5ca4edf2e5238558cb62902311", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO\n\nPrecision markers need to be propagated whenever we have an ARG_CONST_*\nstyle argument, as the verifier cannot consider imprecise scalars to be\nequivalent for the purposes of states_equal check when such arguments\nrefine the return value (in this case, set mem_size for PTR_TO_MEM). The\nresultant mem_size for the R0 is derived from the constant value, and if\nthe verifier incorrectly prunes states considering them equivalent where\nsuch arguments exist (by seeing that both registers have reg->precise as\nfalse in regsafe), we can end up with invalid programs passing the\nverifier which can do access beyond what should have been the correct\nmem_size in that explored state.\n\nTo show a concrete example of the problem:\n\n0000000000000000 <prog>:\n 0: r2 = *(u32 *)(r1 + 80)\n 1: r1 = *(u32 *)(r1 + 76)\n 2: r3 = r1\n 3: r3 += 4\n 4: if r3 > r2 goto +18 <LBB5_5>\n 5: w2 = 0\n 6: *(u32 *)(r1 + 0) = r2\n 7: r1 = *(u32 *)(r1 + 0)\n 8: r2 = 1\n 9: if w1 == 0 goto +1 <LBB5_3>\n 10: r2 = -1\n\n0000000000000058 <LBB5_3>:\n 11: r1 = 0 ll\n 13: r3 = 0\n 14: call bpf_ringbuf_reserve\n 15: if r0 == 0 goto +7 <LBB5_5>\n 16: r1 = r0\n 17: r1 += 16777215\n 18: w2 = 0\n 19: *(u8 *)(r1 + 0) = r2\n 20: r1 = r0\n 21: r2 = 0\n 22: call bpf_ringbuf_submit\n\n00000000000000b8 <LBB5_5>:\n 23: w0 = 0\n 24: exit\n\nFor the first case, the single line execution's exploration will prune\nthe search at insn 14 for the branch insn 9's second leg as it will be\nverified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will\nalways be 0 so at runtime we don't get error for being greater than\nUINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just\nsees reg->precise as false for both r2 registers in both states, hence\nconsiders them equal for purposes of states_equal.\n\nIf we propagated precise markers using the backtracking support, we\nwould use the precise marking to then ensure that old r2 (UINT_MAX) was\nwithin the new r2 (1) and this would never be true, so the verification\nwould rightfully fail.\n\nThe end result is that the out of bounds access at instruction 19 would\nbe permitted without this fix.\n\nNote that reg->precise is always set to true when user does not have\nCAP_BPF (or when subprog count is greater than 1 (i.e. use of any static\nor global functions)), hence this is only a problem when precision marks\nneed to be explicitly propagated (i.e. privileged users with CAP_BPF).\n\nA simplified test case has been included in the next patch to prevent\nfuture regressions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Hacer mark_chain_precision para ARG_CONST_ALLOC_SIZE_OR_ZERO Los marcadores de precisi\u00f3n deben propagarse siempre que tengamos un argumento de estilo ARG_CONST_*, ya que el verificador no puede considerar que los escalares imprecisos sean equivalentes para los fines de la comprobaci\u00f3n states_equal cuando dichos argumentos refinan el valor de retorno (en este caso, establecer mem_size para PTR_TO_MEM). El mem_size resultante para el R0 se deriva del valor constante, y si el verificador poda incorrectamente los estados consider\u00e1ndolos equivalentes donde existen dichos argumentos (al ver que ambos registros tienen reg-&gt;precise como falso en regsafe), podemos terminar con programas no v\u00e1lidos que pasan el verificador que pueden hacer acceso m\u00e1s all\u00e1 de lo que deber\u00eda haber sido el mem_size correcto en ese estado explorado. Para mostrar un ejemplo concreto del problema: 0000000000000000 : 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: si r3 &gt; r2 goto +18 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: si w1 == 0 goto +1 10: r2 = -1 0000000000000058 : 11: r1 = 0 ll 13: r3 = 0 14: llamar a bpf_ringbuf_reserve 15: si r0 == 0 goto +7 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: llamar a bpf_ringbuf_submit 00000000000000b8 : 23: w0 = 0 24: salir Para el primer caso, la exploraci\u00f3n de la ejecuci\u00f3n de una sola l\u00ednea podar\u00e1 la b\u00fasqueda en insn 14 para la segunda rama de la rama insn 9, ya que se verificar\u00e1 primero utilizando r2 = -1 (UINT_MAX), mientras que como w1 en insn 9 siempre ser\u00e1 0, por lo que en tiempo de ejecuci\u00f3n no obtenemos un error por ser mayor que UINT_MAX/4 de bpf_ringbuf_reserve. El verificador durante regsafe solo ve reg-&gt;precise como falso para ambos registros r2 en ambos estados, por lo tanto, los considera iguales para fines de states_equal. Si propag\u00e1ramos marcadores precisos utilizando el soporte de retroceso, usar\u00edamos el marcado preciso para asegurarnos de que el antiguo r2 (UINT_MAX) estuviera dentro del nuevo r2 (1) y esto nunca ser\u00eda verdadero, por lo que la verificaci\u00f3n fallar\u00eda leg\u00edtimamente. El resultado final es que el acceso fuera de los l\u00edmites en la instrucci\u00f3n 19 se permitir\u00eda sin esta correcci\u00f3n. Tenga en cuenta que reg-&gt;precise siempre se establece en verdadero cuando el usuario no tiene CAP_BPF (o cuando el recuento de subprocesos es mayor que 1 (es decir, uso de cualquier funci\u00f3n est\u00e1tica o global)), por lo tanto, esto solo es un problema cuando las marcas de precisi\u00f3n deben propagarse expl\u00edcitamente (es decir, usuarios privilegiados con CAP_BPF). Se ha incluido un caso de prueba simplificado en el pr\u00f3ximo parche para evitar futuras regresiones."}], "lastModified": "2025-11-14T18:09:29.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E240750A-F19E-4C50-8D2E-BC11FF9EAB4A", "versionEndExcluding": "5.19.8", "versionStartIncluding": "5.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}