CVE-2022-50069

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50069
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50069.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50069
Related
Published
2025-06-18T11:15:35Z
Modified
2025-06-18T16:00:24Z
Downstream
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

BPF: Fix potential bad pointer dereference in bpfsysbpf()

The bpfsysbpf() helper function allows an eBPF program to load another eBPF program from within the kernel. In this case the argument union bpfattr pointer (as well as the insns and license pointers inside) is a kernel address instead of a userspace address (which is the case of a usual bpf() syscall). To make the memory copying process in the syscall work in both cases, bpfptrt was introduced to wrap around the pointer and distinguish its origin. Specifically, when copying memory contents from a bpfptrt, a copyfrom_user() is performed in case of a userspace address and a memcpy() is performed for a kernel address.

This can lead to problems because the in-kernel pointer is never checked for validity. The problem happens when an eBPF syscall program tries to call bpfsysbpf() to load a program but provides a bad insns pointer -- say 0xdeadbeef -- in the bpfattr union. The helper calls _sysbpf() which would then call bpfprogload() to load the program. bpfprogload() is responsible for copying the eBPF instructions to the newly allocated memory for the program; it creates a kernel bpfptrt for insns and invokes copyfrombpfptr(). Internally, all bpfptrt operations are backed by the corresponding sockptrt operations, which performs direct memcpy() on kernel pointers for copyfrom/strncpyfrom operations. Therefore, the code is always happy to dereference the bad pointer to trigger a un-handle-able page fault and in turn an oops. However, this is not supposed to happen because at that point the eBPF program is already verified and should not cause a memory error.

Sample KASAN trace:

[ 25.685056][ T228] ================================================================== [ 25.685680][ T228] BUG: KASAN: user-memory-access in copyfrombpfptr+0x21/0x30 [ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228 [ 25.686732][ T228] [ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7 [ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014 [ 25.687991][ T228] Call Trace: [ 25.688223][ T228] <TASK> [ 25.688429][ T228] dumpstacklvl+0x73/0x9e [ 25.688747][ T228] printreport+0xea/0x200 [ 25.689061][ T228] ? copyfrombpfptr+0x21/0x30 [ 25.689401][ T228] ? _printk+0x54/0x6e [ 25.689693][ T228] ? _rawspinlockirqsave+0x70/0xd0 [ 25.690071][ T228] ? copyfrombpfptr+0x21/0x30 [ 25.690412][ T228] kasanreport+0xb5/0xe0 [ 25.690716][ T228] ? copyfrombpfptr+0x21/0x30 [ 25.691059][ T228] kasancheckrange+0x2bd/0x2e0 [ 25.691405][ T228] ? copyfrombpfptr+0x21/0x30 [ 25.691734][ T228] memcpy+0x25/0x60 [ 25.692000][ T228] copyfrombpfptr+0x21/0x30 [ 25.692328][ T228] bpfprogload+0x604/0x9e0 [ 25.692653][ T228] ? capcapable+0xb4/0xe0 [ 25.692956][ T228] ? securitycapable+0x4f/0x70 [ 25.693324][ T228] _sysbpf+0x3af/0x580 [ 25.693635][ T228] bpfsysbpf+0x45/0x240 [ 25.693937][ T228] bpfprogf0ec79a5a3caca46bpffunc1+0xa2/0xbd [ 25.694394][ T228] bpfprogrunpinoncpu+0x2f/0xb0 [ 25.694756][ T228] bpfprogtestrunsyscall+0x146/0x1c0 [ 25.695144][ T228] bpfprogtestrun+0x172/0x190 [ 25.695487][ T228] _sysbpf+0x2c5/0x580 [ 25.695776][ T228] _x64sysbpf+0x3a/0x50 [ 25.696084][ T228] dosyscall64+0x60/0x90 [ 25.696393][ T228] ? fpregsassertstateconsistent+0x50/0x60 [ 25.696815][ T228] ? exittousermodeprepare+0x36/0xa0 [ 25.697202][ T228] ? syscallexittousermode+0x20/0x40 [ 25.697586][ T228] ? dosyscall64+0x6e/0x90 [ 25.697899][ T228] entrySYSCALL64after_hwframe+0x63/0xcd [ 25.698312][ T228] RIP: 0033:0x7f6d543fb759 [ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d ---truncated---

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}