CVE-2022-49878
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49878
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49878.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49878
- Downstream
- Published
- 2025-05-01T14:10:26Z
- Modified
- 2025-10-21T11:28:35.208567Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- bpf, verifier: Fix memory leak in array reallocation for stack state
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf, verifier: Fix memory leak in array reallocation for stack state
If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path.
The memory leak information is as follows as also reported by Zhengchao:
unreferenced object 0xffff888019801800 (size 256): comm "bpfrepo", pid 6490, jiffies 4294959200 (age 17.170s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000b211474b>] _kmallocnodetrackcaller+0x45/0xc0 [<0000000086712a0b>] krealloc+0x83/0xd0 [<00000000139aab02>] reallocarray+0x82/0xe2 [<00000000b1ca41d1>] growstackstate+0xfb/0x186 [<00000000cd6f36d2>] checkmemaccess.cold+0x141/0x1341 [<0000000081780455>] docheckcommon+0x5358/0xb350 [<0000000015f6b091>] bpfcheck.cold+0xc3/0x29d [<000000002973c690>] bpfprogload+0x13db/0x2240 [<00000000028d1644>] _sysbpf+0x1605/0x4ce0 [<00000000053f29bd>] _x64sysbpf+0x75/0xb0 [<0000000056fedaf5>] dosyscall64+0x35/0x80 [<000000002bd58261>] entrySYSCALL64afterhwframe+0x63/0xcd
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc69431aab67a912836e5831f03d99a819c14c9c3Fixed06615967d4889b08b19ff3dda96e8b131282f73d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc69431aab67a912836e5831f03d99a819c14c9c3Fixed3e210891c4a4c2d858cd6f9f61d5809af251d4df
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc69431aab67a912836e5831f03d99a819c14c9c3Fixed42378a9ca55347102bbf86708776061d8fe3ece2
Affected versions
v5.*
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.1-rc1
v6.1-rc2
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@42378a9ca55347102bbf86708776061d8fe3ece2",
"target": {
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-0c0465ab",
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"10164658385997473613056401483987235067",
"52900355233647538110274646087166624309",
"202606473048576514969660970564393061778",
"40905476158471251056761730978035249520",
"293185093536707673925438755084113469952",
"156937650465314401689518895167611839865",
"245730411495615566909761753879405907358",
"314014812409366368124797750585880916515",
"319005287035335756998278969047403767959"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e210891c4a4c2d858cd6f9f61d5809af251d4df",
"target": {
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-27b83755",
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"10164658385997473613056401483987235067",
"52900355233647538110274646087166624309",
"202606473048576514969660970564393061778",
"40905476158471251056761730978035249520",
"293185093536707673925438755084113469952",
"156937650465314401689518895167611839865",
"245730411495615566909761753879405907358",
"314014812409366368124797750585880916515",
"319005287035335756998278969047403767959"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06615967d4889b08b19ff3dda96e8b131282f73d",
"target": {
"function": "realloc_array",
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-4993123e",
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "103110647073954972483202333166811996090",
"length": 353.0
},
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06615967d4889b08b19ff3dda96e8b131282f73d",
"target": {
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-b378bc33",
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"10164658385997473613056401483987235067",
"52900355233647538110274646087166624309",
"202606473048576514969660970564393061778",
"40905476158471251056761730978035249520",
"293185093536707673925438755084113469952",
"156937650465314401689518895167611839865",
"245730411495615566909761753879405907358",
"314014812409366368124797750585880916515",
"319005287035335756998278969047403767959"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@42378a9ca55347102bbf86708776061d8fe3ece2",
"target": {
"function": "realloc_array",
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-bbecac46",
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "103110647073954972483202333166811996090",
"length": 353.0
},
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e210891c4a4c2d858cd6f9f61d5809af251d4df",
"target": {
"function": "realloc_array",
"file": "kernel/bpf/verifier.c"
},
"id": "CVE-2022-49878-d9fdff9d",
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "103110647073954972483202333166811996090",
"length": 353.0
},
"signature_version": "v1"
}
]