fkie_cve-2025-22087
Vulnerability from fkie_nvd
Published
2025-04-16 15:16
Modified
2025-04-17 20:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix array bounds error with may_goto
may_goto uses an additional 8 bytes on the stack, which causes the
interpreters[] array to go out of bounds when calculating index by
stack_size.
1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT
cases, reject loading directly.
2. For non-JIT cases, calculating interpreters[idx] may still cause
out-of-bounds array access, and just warn about it.
3. For jit_requested cases, the execution of bpf_func also needs to be
warned. So move the definition of function __bpf_prog_ret0_warn out of
the macro definition CONFIG_BPF_JIT_ALWAYS_ON.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\u00f3n del error de los l\u00edmites de la matriz con may_goto. may_goto utiliza 8 bytes adicionales en la pila, lo que provoca que la matriz interpreters[] salga de los l\u00edmites al calcular el \u00edndice mediante stack_size. 1. Si se reescribe un programa BPF, reeval\u00fae el tama\u00f1o de la pila. En casos que no sean JIT, rechace la carga directamente. 2. En casos que no sean JIT, el c\u00e1lculo de interpreters[idx] puede seguir provocando un acceso a la matriz fuera de los l\u00edmites y simplemente advertir al respecto. 3. En casos con jit_requested, tambi\u00e9n se debe advertir la ejecuci\u00f3n de bpf_func. Por lo tanto, mueva la definici\u00f3n de la funci\u00f3n __bpf_prog_ret0_warn fuera de la definici\u00f3n de la macro CONFIG_BPF_JIT_ALWAYS_ON."
}
],
"id": "CVE-2025-22087",
"lastModified": "2025-04-17T20:22:16.240",
"metrics": {},
"published": "2025-04-16T15:16:02.903",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…