ghsa-34r5-4vr6-q5h6
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO

Precision markers need to be propagated whenever we have an ARG_CONST_* style argument, as the verifier cannot consider imprecise scalars to be equivalent for the purposes of states_equal check when such arguments refine the return value (in this case, set mem_size for PTR_TO_MEM). The resultant mem_size for the R0 is derived from the constant value, and if the verifier incorrectly prunes states considering them equivalent where such arguments exist (by seeing that both registers have reg->precise as false in regsafe), we can end up with invalid programs passing the verifier which can do access beyond what should have been the correct mem_size in that explored state.

To show a concrete example of the problem:

0000000000000000 : 0: r2 = (u32 )(r1 + 80) 1: r1 = (u32 )(r1 + 76) 2: r3 = r1 3: r3 += 4 4: if r3 > r2 goto +18 5: w2 = 0 6: (u32 )(r1 + 0) = r2 7: r1 = (u32 )(r1 + 0) 8: r2 = 1 9: if w1 == 0 goto +1 10: r2 = -1

0000000000000058 : 11: r1 = 0 ll 13: r3 = 0 14: call bpf_ringbuf_reserve 15: if r0 == 0 goto +7 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: (u8 )(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: call bpf_ringbuf_submit

00000000000000b8 : 23: w0 = 0 24: exit

For the first case, the single line execution's exploration will prune the search at insn 14 for the branch insn 9's second leg as it will be verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will always be 0 so at runtime we don't get error for being greater than UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just sees reg->precise as false for both r2 registers in both states, hence considers them equal for purposes of states_equal.

If we propagated precise markers using the backtracking support, we would use the precise marking to then ensure that old r2 (UINT_MAX) was within the new r2 (1) and this would never be true, so the verification would rightfully fail.

The end result is that the out of bounds access at instruction 19 would be permitted without this fix.

Note that reg->precise is always set to true when user does not have CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static or global functions)), hence this is only a problem when precision marks need to be explicitly propagated (i.e. privileged users with CAP_BPF).

A simplified test case has been included in the next patch to prevent future regressions.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49961"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:23Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO\n\nPrecision markers need to be propagated whenever we have an ARG_CONST_*\nstyle argument, as the verifier cannot consider imprecise scalars to be\nequivalent for the purposes of states_equal check when such arguments\nrefine the return value (in this case, set mem_size for PTR_TO_MEM). The\nresultant mem_size for the R0 is derived from the constant value, and if\nthe verifier incorrectly prunes states considering them equivalent where\nsuch arguments exist (by seeing that both registers have reg-\u003eprecise as\nfalse in regsafe), we can end up with invalid programs passing the\nverifier which can do access beyond what should have been the correct\nmem_size in that explored state.\n\nTo show a concrete example of the problem:\n\n0000000000000000 \u003cprog\u003e:\n       0:       r2 = *(u32 *)(r1 + 80)\n       1:       r1 = *(u32 *)(r1 + 76)\n       2:       r3 = r1\n       3:       r3 += 4\n       4:       if r3 \u003e r2 goto +18 \u003cLBB5_5\u003e\n       5:       w2 = 0\n       6:       *(u32 *)(r1 + 0) = r2\n       7:       r1 = *(u32 *)(r1 + 0)\n       8:       r2 = 1\n       9:       if w1 == 0 goto +1 \u003cLBB5_3\u003e\n      10:       r2 = -1\n\n0000000000000058 \u003cLBB5_3\u003e:\n      11:       r1 = 0 ll\n      13:       r3 = 0\n      14:       call bpf_ringbuf_reserve\n      15:       if r0 == 0 goto +7 \u003cLBB5_5\u003e\n      16:       r1 = r0\n      17:       r1 += 16777215\n      18:       w2 = 0\n      19:       *(u8 *)(r1 + 0) = r2\n      20:       r1 = r0\n      21:       r2 = 0\n      22:       call bpf_ringbuf_submit\n\n00000000000000b8 \u003cLBB5_5\u003e:\n      23:       w0 = 0\n      24:       exit\n\nFor the first case, the single line execution\u0027s exploration will prune\nthe search at insn 14 for the branch insn 9\u0027s second leg as it will be\nverified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will\nalways be 0 so at runtime we don\u0027t get error for being greater than\nUINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just\nsees reg-\u003eprecise as false for both r2 registers in both states, hence\nconsiders them equal for purposes of states_equal.\n\nIf we propagated precise markers using the backtracking support, we\nwould use the precise marking to then ensure that old r2 (UINT_MAX) was\nwithin the new r2 (1) and this would never be true, so the verification\nwould rightfully fail.\n\nThe end result is that the out of bounds access at instruction 19 would\nbe permitted without this fix.\n\nNote that reg-\u003eprecise is always set to true when user does not have\nCAP_BPF (or when subprog count is greater than 1 (i.e. use of any static\nor global functions)), hence this is only a problem when precision marks\nneed to be explicitly propagated (i.e. privileged users with CAP_BPF).\n\nA simplified test case has been included in the next patch to prevent\nfuture regressions.",
  "id": "GHSA-34r5-4vr6-q5h6",
  "modified": "2025-06-18T12:30:37Z",
  "published": "2025-06-18T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49961"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2459615a8d7f44ac81f0965bc094e55ccb254717"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fc31465c5373b5ca4edf2e5238558cb62902311"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.