fkie_cve-2022-49764
Vulnerability from fkie_nvd
Published
2025-05-01 15:15
Modified
2025-05-02 13:53
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent bpf program recursion for raw tracepoint probes We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock. Call Trace: <TASK> ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 ... The can be reproduced by attaching bpf program as raw tracepoint on contention_begin tracepoint. The bpf prog calls bpf_trace_printk helper. Then by running perf bench the spin lock code is forced to take slow path and call contention_begin tracepoint. Fixing this by skipping execution of the bpf program if it's already running, Using bpf prog 'active' field, which is being currently used by trampoline programs for the same reason. Moving bpf_prog_inc_misses_counter to syscall.c because trampoline.c is compiled in just for CONFIG_BPF_JIT option. [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/05b24ff9b2cfabfcfd951daaa915a036ab53c9e1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2e5399879024fedd6cdc41f73fbf9bbe7208f899
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent bpf program recursion for raw tracepoint probes\n\nWe got report from sysbot [1] about warnings that were caused by\nbpf program attached to contention_begin raw tracepoint triggering\nthe same tracepoint by using bpf_trace_printk helper that takes\ntrace_printk_lock lock.\n\n Call Trace:\n  \u003cTASK\u003e\n  ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90\n  bpf_trace_printk+0x2b/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  __unfreeze_partials+0x5b/0x160\n  ...\n\nThe can be reproduced by attaching bpf program as raw tracepoint on\ncontention_begin tracepoint. The bpf prog calls bpf_trace_printk\nhelper. Then by running perf bench the spin lock code is forced to\ntake slow path and call contention_begin tracepoint.\n\nFixing this by skipping execution of the bpf program if it\u0027s\nalready running, Using bpf prog \u0027active\u0027 field, which is being\ncurrently used by trampoline programs for the same reason.\n\nMoving bpf_prog_inc_misses_counter to syscall.c because\ntrampoline.c is compiled in just for CONFIG_BPF_JIT option.\n\n[1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Impide la recursi\u00f3n del programa bpf para sondas de puntos de seguimiento sin procesar. Recibimos un informe de sysbot [1] sobre advertencias causadas por el programa bpf asociado al punto de seguimiento sin procesar contention_begin, que activaba el mismo punto de seguimiento mediante el auxiliar bpf_trace_printk, que toma el bloqueo trace_printk_lock. Llamada a Trace:  ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 Esto se puede reproducir adjuntando el programa bpf como punto de seguimiento sin procesar en el punto de seguimiento contention_begin. El programa bpf llama al asistente bpf_trace_printk. Luego, al ejecutar perf bench, el c\u00f3digo de bloqueo de giro se fuerza a tomar la ruta lenta e invocar el punto de seguimiento contention_begin. Esto se soluciona omitiendo la ejecuci\u00f3n del programa bpf si ya se est\u00e1 ejecutando. Se usa el campo \"activo\" del programa bpf, que actualmente usan los programas trampoline por la misma raz\u00f3n. Se traslada bpf_prog_inc_misses_counter a syscall.c, ya que trampoline.c se compila solo para la opci\u00f3n CONFIG_BPF_JIT. [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t"
    }
  ],
  "id": "CVE-2022-49764",
  "lastModified": "2025-05-02T13:53:20.943",
  "metrics": {},
  "published": "2025-05-01T15:15:59.170",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/05b24ff9b2cfabfcfd951daaa915a036ab53c9e1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2e5399879024fedd6cdc41f73fbf9bbe7208f899"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.