fkie_cve-2022-50168
Vulnerability from fkie_nvd
Published
2025-06-18 11:15
Modified
2025-06-18 13:47
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf, x86: fix freeing of not-finalized bpf_prog_pack syzbot reported a few issues with bpf_prog_pack [1], [2]. This only happens with multiple subprogs. In jit_subprogs(), we first call bpf_int_jit_compile() on each sub program. And then, we call it on each sub program again. jit_data is not freed in the first call of bpf_int_jit_compile(). Similarly we don't call bpf_jit_binary_pack_finalize() in the first call of bpf_int_jit_compile(). If bpf_int_jit_compile() failed for one sub program, we will call bpf_jit_binary_pack_finalize() for this sub program. However, we don't have a chance to call it for other sub programs. Then we will hit "goto out_free" in jit_subprogs(), and call bpf_jit_free on some subprograms that haven't got bpf_jit_binary_pack_finalize() yet. At this point, bpf_jit_binary_pack_free() is called and the whole 2MB page is freed erroneously. Fix this with a custom bpf_jit_free() for x86_64, which calls bpf_jit_binary_pack_finalize() if necessary. Also, with custom bpf_jit_free(), bpf_prog_aux->use_bpf_prog_pack is not needed any more, remove it. [1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/60e66074812dde9cde3d99cdd3caa9e40f1a4516
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f91ce608a79c0db3e72bd63c23e011a9ebc31505
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, x86: fix freeing of not-finalized bpf_prog_pack\n\nsyzbot reported a few issues with bpf_prog_pack [1], [2]. This only happens\nwith multiple subprogs. In jit_subprogs(), we first call bpf_int_jit_compile()\non each sub program. And then, we call it on each sub program again. jit_data\nis not freed in the first call of bpf_int_jit_compile(). Similarly we don\u0027t\ncall bpf_jit_binary_pack_finalize() in the first call of bpf_int_jit_compile().\n\nIf bpf_int_jit_compile() failed for one sub program, we will call\nbpf_jit_binary_pack_finalize() for this sub program. However, we don\u0027t have a\nchance to call it for other sub programs. Then we will hit \"goto out_free\" in\njit_subprogs(), and call bpf_jit_free on some subprograms that haven\u0027t got\nbpf_jit_binary_pack_finalize() yet.\n\nAt this point, bpf_jit_binary_pack_free() is called and the whole 2MB page is\nfreed erroneously.\n\nFix this with a custom bpf_jit_free() for x86_64, which calls\nbpf_jit_binary_pack_finalize() if necessary. Also, with custom\nbpf_jit_free(), bpf_prog_aux-\u003euse_bpf_prog_pack is not needed any more,\nremove it.\n\n[1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f\n[2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, x86: se corrige la liberaci\u00f3n de bpf_prog_pack no finalizado. syzbot report\u00f3 algunos problemas con bpf_prog_pack [1], [2]. Esto solo ocurre con varios subprogramas. En jit_subprogs(), primero llamamos a bpf_int_jit_compile() en cada subprograma. Y luego, lo volvemos a llamar en cada subprograma. jit_data no se libera en la primera llamada de bpf_int_jit_compile(). De igual manera, no llamamos a bpf_jit_binary_pack_finalize() en la primera llamada de bpf_int_jit_compile(). Si bpf_int_jit_compile() falla en un subprograma, llamaremos a bpf_jit_binary_pack_finalize() para este subprograma. Sin embargo, no podemos llamarlo para otros subprogramas. Luego, pulsaremos \"goto out_free\" en jit_subprogs() y llamaremos a bpf_jit_free en algunos subprogramas que a\u00fan no tienen bpf_jit_binary_pack_finalize(). En este punto, se llama a bpf_jit_binary_pack_free() y se libera la p\u00e1gina completa de 2 MB por error. Se puede solucionar con un bpf_jit_free() personalizado para x86_64, que llama a bpf_jit_binary_pack_finalize() si es necesario. Adem\u00e1s, con bpf_jit_free() personalizado, bpf_prog_aux-\u0026gt;use_bpf_prog_pack ya no es necesario; elim\u00ednelo. [1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445"
    }
  ],
  "id": "CVE-2022-50168",
  "lastModified": "2025-06-18T13:47:40.833",
  "metrics": {},
  "published": "2025-06-18T11:15:47.117",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/60e66074812dde9cde3d99cdd3caa9e40f1a4516"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f91ce608a79c0db3e72bd63c23e011a9ebc31505"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.