ghsa-7wj3-cv8c-chpx
Vulnerability from github
Published
2025-05-01 15:31
Modified
2025-05-01 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Prevent bpf program recursion for raw tracepoint probes

We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock.

Call Trace: ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 ...

The can be reproduced by attaching bpf program as raw tracepoint on contention_begin tracepoint. The bpf prog calls bpf_trace_printk helper. Then by running perf bench the spin lock code is forced to take slow path and call contention_begin tracepoint.

Fixing this by skipping execution of the bpf program if it's already running, Using bpf prog 'active' field, which is being currently used by trampoline programs for the same reason.

Moving bpf_prog_inc_misses_counter to syscall.c because trampoline.c is compiled in just for CONFIG_BPF_JIT option.

[1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49764"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:15:59Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent bpf program recursion for raw tracepoint probes\n\nWe got report from sysbot [1] about warnings that were caused by\nbpf program attached to contention_begin raw tracepoint triggering\nthe same tracepoint by using bpf_trace_printk helper that takes\ntrace_printk_lock lock.\n\n Call Trace:\n  \u003cTASK\u003e\n  ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90\n  bpf_trace_printk+0x2b/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  __unfreeze_partials+0x5b/0x160\n  ...\n\nThe can be reproduced by attaching bpf program as raw tracepoint on\ncontention_begin tracepoint. The bpf prog calls bpf_trace_printk\nhelper. Then by running perf bench the spin lock code is forced to\ntake slow path and call contention_begin tracepoint.\n\nFixing this by skipping execution of the bpf program if it\u0027s\nalready running, Using bpf prog \u0027active\u0027 field, which is being\ncurrently used by trampoline programs for the same reason.\n\nMoving bpf_prog_inc_misses_counter to syscall.c because\ntrampoline.c is compiled in just for CONFIG_BPF_JIT option.\n\n[1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t",
  "id": "GHSA-7wj3-cv8c-chpx",
  "modified": "2025-05-01T15:31:46Z",
  "published": "2025-05-01T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49764"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/05b24ff9b2cfabfcfd951daaa915a036ab53c9e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e5399879024fedd6cdc41f73fbf9bbe7208f899"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.