CVE-2022-49985
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49985
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49985.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49985
- Downstream
- Related
- Published
- 2025-06-18T11:00:47Z
- Modified
- 2025-10-21T11:48:38.360706Z
- Summary
- bpf: Don't use tnum_range on array range checking for poke descriptors
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't use tnum_range on array range checking for poke descriptors
Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which is based on a customized syzkaller:
BUG: KASAN: slab-out-of-bounds in bpfintjitcompile+0x1257/0x13f0 Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489 CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x9c/0xc9 printaddressdescription.constprop.0+0x1f/0x1f0 ? bpfintjitcompile+0x1257/0x13f0 kasanreport.cold+0xeb/0x197 ? kvmallocnode+0x170/0x200 ? bpfintjitcompile+0x1257/0x13f0 bpfintjitcompile+0x1257/0x13f0 ? archpreparebpfdispatcher+0xd0/0xd0 ? rcureadlockschedheld+0x43/0x70 bpfprogselectruntime+0x3e8/0x640 ? bpfobjnamecpy+0x149/0x1b0 bpfprogload+0x102f/0x2220 ? _bpfprogput.constprop.0+0x220/0x220 ? findheldlock+0x2c/0x110 ? _mightfault+0xd6/0x180 ? lockdowngrade+0x6e0/0x6e0 ? lockisheldtype+0xa6/0x120 ? _mightfault+0x147/0x180 _sysbpf+0x137b/0x6070 ? bpfperflinkattach+0x530/0x530 ? newsyncread+0x600/0x600 ? _fgetfiles+0x255/0x450 ? lockdowngrade+0x6e0/0x6e0 ? fput+0x30/0x1a0 ? ksyswrite+0x1a8/0x260 _x64sysbpf+0x7a/0xc0 ? syscallenterfromusermode+0x21/0x70 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f917c4e2c2d
The problem here is that a range of tnumrange(0, map->maxentries - 1) has limited ability to represent the concrete tight range with the tnum as the set of resulting states from value + mask can result in a superset of the actual intended range, and as such a tnumin(range, reg->varoff) check may yield true when it shouldn't, for example tnumrange(0, 2) would result in 00XX -> v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here represented by a less precise superset of {0, 1, 2, 3}. As the register is known const scalar, really just use the concrete reg->varoff.value for the upper index check.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4f672112f8665102a5842c170be1713f8ff95919
- https://git.kernel.org/stable/c/a36df92c7ff7ecde2fb362241d0ab024dddd0597
- https://git.kernel.org/stable/c/a657182a5c5150cdfacb6640aad1d2712571a409
- https://git.kernel.org/stable/c/e8979807178434db8ceaa84dfcd44363e71e50bb
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2e4c1e6c2947269346054ac8937ccfe9e0bcc6bFixede8979807178434db8ceaa84dfcd44363e71e50bb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2e4c1e6c2947269346054ac8937ccfe9e0bcc6bFixed4f672112f8665102a5842c170be1713f8ff95919
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2e4c1e6c2947269346054ac8937ccfe9e0bcc6bFixeda36df92c7ff7ecde2fb362241d0ab024dddd0597
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2e4c1e6c2947269346054ac8937ccfe9e0bcc6bFixeda657182a5c5150cdfacb6640aad1d2712571a409
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.110
v5.10.111
v5.10.112
v5.10.113
v5.10.114
v5.10.115
v5.10.116
v5.10.117
v5.10.118
v5.10.119
v5.10.12
v5.10.120
v5.10.121
v5.10.122
v5.10.123
v5.10.124
v5.10.125
v5.10.126
v5.10.127
v5.10.128
v5.10.129
v5.10.13
v5.10.130
v5.10.131
v5.10.132
v5.10.133
v5.10.134
v5.10.135
v5.10.136
v5.10.137
v5.10.138
v5.10.139
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.4
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49985-22d3becb",
"digest": {
"line_hashes": [
"128731924319173881470917745573428190749",
"106746196398994320182856840600357173683",
"245773809222710605600773733323605005143",
"279823160915389903760382486532087247039",
"221087486776305040377168296783351292095",
"265033153668758637482065240706498852491",
"165659535087243359243970783975546047341",
"50253702940226872493955200411486521763",
"294944198891329881320506909711140657602",
"4534805849959612913346484087511569099",
"63164644580754324186605037095086496233",
"223970162113453417028413802757024702996",
"125764997925582265887929996010398746765",
"32341488772003464444638027025629474026",
"25569250801071227913158085735898247640"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a36df92c7ff7ecde2fb362241d0ab024dddd0597",
"signature_type": "Line"
},
{
"id": "CVE-2022-49985-58a2bad1",
"digest": {
"function_hash": "47757062399290406123005605387019596543",
"length": 892.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "record_func_key",
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a657182a5c5150cdfacb6640aad1d2712571a409",
"signature_type": "Function"
},
{
"id": "CVE-2022-49985-6beab4bd",
"digest": {
"line_hashes": [
"128731924319173881470917745573428190749",
"106746196398994320182856840600357173683",
"245773809222710605600773733323605005143",
"279823160915389903760382486532087247039",
"221087486776305040377168296783351292095",
"265033153668758637482065240706498852491",
"165659535087243359243970783975546047341",
"50253702940226872493955200411486521763",
"294944198891329881320506909711140657602",
"4534805849959612913346484087511569099",
"63164644580754324186605037095086496233",
"223970162113453417028413802757024702996",
"125764997925582265887929996010398746765",
"32341488772003464444638027025629474026",
"25569250801071227913158085735898247640"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a657182a5c5150cdfacb6640aad1d2712571a409",
"signature_type": "Line"
},
{
"id": "CVE-2022-49985-7f383c41",
"digest": {
"line_hashes": [
"128731924319173881470917745573428190749",
"106746196398994320182856840600357173683",
"245773809222710605600773733323605005143",
"279823160915389903760382486532087247039",
"221087486776305040377168296783351292095",
"265033153668758637482065240706498852491",
"165659535087243359243970783975546047341",
"50253702940226872493955200411486521763",
"294944198891329881320506909711140657602",
"4534805849959612913346484087511569099",
"63164644580754324186605037095086496233",
"223970162113453417028413802757024702996",
"125764997925582265887929996010398746765",
"32341488772003464444638027025629474026",
"25569250801071227913158085735898247640"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f672112f8665102a5842c170be1713f8ff95919",
"signature_type": "Line"
},
{
"id": "CVE-2022-49985-8c322f61",
"digest": {
"function_hash": "47757062399290406123005605387019596543",
"length": 892.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "record_func_key",
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f672112f8665102a5842c170be1713f8ff95919",
"signature_type": "Function"
},
{
"id": "CVE-2022-49985-bbdbd568",
"digest": {
"function_hash": "47757062399290406123005605387019596543",
"length": 892.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "record_func_key",
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a36df92c7ff7ecde2fb362241d0ab024dddd0597",
"signature_type": "Function"
},
{
"id": "CVE-2022-49985-cd3cea32",
"digest": {
"function_hash": "47757062399290406123005605387019596543",
"length": 892.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "record_func_key",
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8979807178434db8ceaa84dfcd44363e71e50bb",
"signature_type": "Function"
},
{
"id": "CVE-2022-49985-e7899b51",
"digest": {
"line_hashes": [
"128731924319173881470917745573428190749",
"106746196398994320182856840600357173683",
"245773809222710605600773733323605005143",
"279823160915389903760382486532087247039",
"221087486776305040377168296783351292095",
"265033153668758637482065240706498852491",
"165659535087243359243970783975546047341",
"50253702940226872493955200411486521763",
"294944198891329881320506909711140657602",
"4534805849959612913346484087511569099",
"63164644580754324186605037095086496233",
"223970162113453417028413802757024702996",
"125764997925582265887929996010398746765",
"32341488772003464444638027025629474026",
"25569250801071227913158085735898247640"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8979807178434db8ceaa84dfcd44363e71e50bb",
"signature_type": "Line"
}
]