ghsa-7crj-grwh-6247
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()
We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below:
BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 _bpfclone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512
allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381
To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line.
{
"affected": [],
"aliases": [
"CVE-2022-49840"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()\n\nWe got a syzkaller problem because of aarch64 alignment fault\nif KFENCE enabled. When the size from user bpf program is an odd\nnumber, like 399, 407, etc, it will cause the struct skb_shared_info\u0027s\nunaligned access. As seen below:\n\n BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n\n Use-after-free read at 0xffff6254fffac077 (in kfence-#213):\n __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]\n arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]\n arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]\n atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]\n __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n skb_clone+0xf4/0x214 net/core/skbuff.c:1481\n ____bpf_clone_redirect net/core/filter.c:2433 [inline]\n bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420\n bpf_prog_d3839dd9068ceb51+0x80/0x330\n bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]\n bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53\n bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594\n bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n\n kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512\n\n allocated by task 15074 on cpu 0 at 1342.585390s:\n kmalloc include/linux/slab.h:568 [inline]\n kzalloc include/linux/slab.h:675 [inline]\n bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191\n bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512\n bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381\n\nTo fix the problem, we adjust @size so that (@size + @hearoom) is a\nmultiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info\nis aligned to a cache line.",
"id": "GHSA-7crj-grwh-6247",
"modified": "2025-05-07T15:31:24Z",
"published": "2025-05-01T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49840"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.