ghsa-737f-4c7f-cgc8
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

BPF: Fix potential bad pointer dereference in bpf_sys_bpf()

The bpf_sys_bpf() helper function allows an eBPF program to load another eBPF program from within the kernel. In this case the argument union bpf_attr pointer (as well as the insns and license pointers inside) is a kernel address instead of a userspace address (which is the case of a usual bpf() syscall). To make the memory copying process in the syscall work in both cases, bpfptr_t was introduced to wrap around the pointer and distinguish its origin. Specifically, when copying memory contents from a bpfptr_t, a copy_from_user() is performed in case of a userspace address and a memcpy() is performed for a kernel address.

This can lead to problems because the in-kernel pointer is never checked for validity. The problem happens when an eBPF syscall program tries to call bpf_sys_bpf() to load a program but provides a bad insns pointer -- say 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf() which would then call bpf_prog_load() to load the program. bpf_prog_load() is responsible for copying the eBPF instructions to the newly allocated memory for the program; it creates a kernel bpfptr_t for insns and invokes copy_from_bpfptr(). Internally, all bpfptr_t operations are backed by the corresponding sockptr_t operations, which performs direct memcpy() on kernel pointers for copy_from/strncpy_from operations. Therefore, the code is always happy to dereference the bad pointer to trigger a un-handle-able page fault and in turn an oops. However, this is not supposed to happen because at that point the eBPF program is already verified and should not cause a memory error.

Sample KASAN trace:

[ 25.685056][ T228] ================================================================== [ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30 [ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228 [ 25.686732][ T228] [ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7 [ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014 [ 25.687991][ T228] Call Trace: [ 25.688223][ T228] [ 25.688429][ T228] dump_stack_lvl+0x73/0x9e [ 25.688747][ T228] print_report+0xea/0x200 [ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30 [ 25.689401][ T228] ? _printk+0x54/0x6e [ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0 [ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30 [ 25.690412][ T228] kasan_report+0xb5/0xe0 [ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30 [ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0 [ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30 [ 25.691734][ T228] memcpy+0x25/0x60 [ 25.692000][ T228] copy_from_bpfptr+0x21/0x30 [ 25.692328][ T228] bpf_prog_load+0x604/0x9e0 [ 25.692653][ T228] ? cap_capable+0xb4/0xe0 [ 25.692956][ T228] ? security_capable+0x4f/0x70 [ 25.693324][ T228] __sys_bpf+0x3af/0x580 [ 25.693635][ T228] bpf_sys_bpf+0x45/0x240 [ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd [ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0 [ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0 [ 25.695144][ T228] bpf_prog_test_run+0x172/0x190 [ 25.695487][ T228] __sys_bpf+0x2c5/0x580 [ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50 [ 25.696084][ T228] do_syscall_64+0x60/0x90 [ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60 [ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0 [ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40 [ 25.697586][ T228] ? do_syscall_64+0x6e/0x90 [ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 25.698312][ T228] RIP: 0033:0x7f6d543fb759 [ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50069"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBPF: Fix potential bad pointer dereference in bpf_sys_bpf()\n\nThe bpf_sys_bpf() helper function allows an eBPF program to load another\neBPF program from within the kernel. In this case the argument union\nbpf_attr pointer (as well as the insns and license pointers inside) is a\nkernel address instead of a userspace address (which is the case of a\nusual bpf() syscall). To make the memory copying process in the syscall\nwork in both cases, bpfptr_t was introduced to wrap around the pointer\nand distinguish its origin. Specifically, when copying memory contents\nfrom a bpfptr_t, a copy_from_user() is performed in case of a userspace\naddress and a memcpy() is performed for a kernel address.\n\nThis can lead to problems because the in-kernel pointer is never checked\nfor validity. The problem happens when an eBPF syscall program tries to\ncall bpf_sys_bpf() to load a program but provides a bad insns pointer --\nsay 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()\nwhich would then call bpf_prog_load() to load the program.\nbpf_prog_load() is responsible for copying the eBPF instructions to the\nnewly allocated memory for the program; it creates a kernel bpfptr_t for\ninsns and invokes copy_from_bpfptr(). Internally, all bpfptr_t\noperations are backed by the corresponding sockptr_t operations, which\nperforms direct memcpy() on kernel pointers for copy_from/strncpy_from\noperations. Therefore, the code is always happy to dereference the bad\npointer to trigger a un-handle-able page fault and in turn an oops.\nHowever, this is not supposed to happen because at that point the eBPF\nprogram is already verified and should not cause a memory error.\n\nSample KASAN trace:\n\n[   25.685056][  T228] ==================================================================\n[   25.685680][  T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30\n[   25.686210][  T228] Read of size 80 at addr 00000000deadbeef by task poc/228\n[   25.686732][  T228]\n[   25.686893][  T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7\n[   25.687375][  T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n[   25.687991][  T228] Call Trace:\n[   25.688223][  T228]  \u003cTASK\u003e\n[   25.688429][  T228]  dump_stack_lvl+0x73/0x9e\n[   25.688747][  T228]  print_report+0xea/0x200\n[   25.689061][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.689401][  T228]  ? _printk+0x54/0x6e\n[   25.689693][  T228]  ? _raw_spin_lock_irqsave+0x70/0xd0\n[   25.690071][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.690412][  T228]  kasan_report+0xb5/0xe0\n[   25.690716][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.691059][  T228]  kasan_check_range+0x2bd/0x2e0\n[   25.691405][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.691734][  T228]  memcpy+0x25/0x60\n[   25.692000][  T228]  copy_from_bpfptr+0x21/0x30\n[   25.692328][  T228]  bpf_prog_load+0x604/0x9e0\n[   25.692653][  T228]  ? cap_capable+0xb4/0xe0\n[   25.692956][  T228]  ? security_capable+0x4f/0x70\n[   25.693324][  T228]  __sys_bpf+0x3af/0x580\n[   25.693635][  T228]  bpf_sys_bpf+0x45/0x240\n[   25.693937][  T228]  bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd\n[   25.694394][  T228]  bpf_prog_run_pin_on_cpu+0x2f/0xb0\n[   25.694756][  T228]  bpf_prog_test_run_syscall+0x146/0x1c0\n[   25.695144][  T228]  bpf_prog_test_run+0x172/0x190\n[   25.695487][  T228]  __sys_bpf+0x2c5/0x580\n[   25.695776][  T228]  __x64_sys_bpf+0x3a/0x50\n[   25.696084][  T228]  do_syscall_64+0x60/0x90\n[   25.696393][  T228]  ? fpregs_assert_state_consistent+0x50/0x60\n[   25.696815][  T228]  ? exit_to_user_mode_prepare+0x36/0xa0\n[   25.697202][  T228]  ? syscall_exit_to_user_mode+0x20/0x40\n[   25.697586][  T228]  ? do_syscall_64+0x6e/0x90\n[   25.697899][  T228]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[   25.698312][  T228] RIP: 0033:0x7f6d543fb759\n[   25.698624][  T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d \n---truncated---",
  "id": "GHSA-737f-4c7f-cgc8",
  "modified": "2025-06-18T12:30:46Z",
  "published": "2025-06-18T12:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50069"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f6db7148ed7382b336c5827af33b5d9e992630e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41fd6cc88aaf7058b9dfc9c7a09cc80f99c8c830"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e2dcac2f58f5a95ab092d1da237ffdc0da1832cf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.