CVE-2022-49658

Source
https://cve.org/CVERecord?id=CVE-2022-49658
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49658.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49658
Downstream
Related
Published
2025-02-26T02:23:56.922Z
Modified
2026-07-15T01:48:56.390161078Z
Summary
bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix insufficient bounds propagation from adjustscalarminmaxvals

Kuee reported a corner case where the tnum becomes constant after the call to __regboundoffset(), but the register's bounds are not, that is, its min bounds are still not equal to the register's max bounds.

This in turn allows to leak pointers through turning a pointer register as is into an unknown scalar via adjustptrminmaxvals().

Before:

func#0 @0 0: R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) 0: (b7) r0 = 1 ; R0w=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) 1: (b7) r3 = 0 ; R3w=scalar(imm=0,umax=0,varoff=(0x0; 0x0)) 2: (87) r3 = -r3 ; R3w=scalar() 3: (87) r3 = -r3 ; R3w=scalar() 4: (47) r3 |= 32767 ; R3w=scalar(smin=-9223372036854743041,umin=32767,varoff=(0x7fff; 0xffffffffffff8000),s32min=-2147450881) 5: (75) if r3 s>= 0x0 goto pc+1 ; R3w=scalar(umin=9223372036854808575,varoff=(0x8000000000007fff; 0x7fffffffffff8000),s32min=-2147450881,u32_min=32767) 6: (95) exit

from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,varoff=(0x7fff; 0x7fffffffffff8000),s32min=-2147450881) R10=fp(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,varoff=(0x7fff; 0x7fffffffffff8000),s32min=-2147450881,u32min=32767) 8: (95) exit

from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,varoff=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) 9: (07) r3 += -32767 ; R3w=scalar(imm=0,umax=1,varoff=(0x0; 0x0)) <--- [*] 10: (95) exit

What can be seen here is that R3=scalar(umin=32767,umax=32768,varoff=(0x7fff; 0x8000)) after the operation R3 += -32767 results in a 'malformed' constant, that is, R3w=scalar(imm=0,umax=1,varoff=(0x0; 0x0)). Intersecting with varoff has not been done at that point via __updateregbounds(), which would have improved the umax to be equal to umin.

Refactor the tnum <> min/max bounds information flow into a regboundssync() helper and use it consistently everywhere. After the fix, bounds have been corrected to R3w=scalar(imm=0,umax=0,varoff=(0x0; 0x0)) and thus the register is regarded as a 'proper' constant scalar of 0.

After:

func#0 @0 0: R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) 0: (b7) r0 = 1 ; R0w=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) 1: (b7) r3 = 0 ; R3w=scalar(imm=0,umax=0,varoff=(0x0; 0x0)) 2: (87) r3 = -r3 ; R3w=scalar() 3: (87) r3 = -r3 ; R3w=scalar() 4: (47) r3 |= 32767 ; R3w=scalar(smin=-9223372036854743041,umin=32767,varoff=(0x7fff; 0xffffffffffff8000),s32min=-2147450881) 5: (75) if r3 s>= 0x0 goto pc+1 ; R3w=scalar(umin=9223372036854808575,varoff=(0x8000000000007fff; 0x7fffffffffff8000),s32min=-2147450881,u32_min=32767) 6: (95) exit

from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,varoff=(0x7fff; 0x7fffffffffff8000),s32min=-2147450881) R10=fp(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,varoff=(0x7fff; 0x7fffffffffff8000),s32min=-2147450881,u32min=32767) 8: (95) exit

from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,varoff=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,varoff=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0 ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49658.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2
Fixed
e917be1f83ea14a68b3cf64d3da9968eaf991dae
Fixed
a7de8d436db92bab8b1f44624297c2554a6ac36b
Fixed
b2a28bb36664c94375926cbbb91976242847699d
Fixed
3844d153a41adea718202c10ae91dc96b37453b5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49658.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.14.0
Fixed
5.10.130
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.54
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.18.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49658.json"