CVE-2022-50168
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50168
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50168.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50168
- Downstream
- Published
- 2025-06-18T11:03:21Z
- Modified
- 2025-10-21T12:10:06.915928Z
- Summary
- bpf, x86: fix freeing of not-finalized bpf_prog_pack
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf, x86: fix freeing of not-finalized bpfprogpack
syzbot reported a few issues with bpfprogpack [1], [2]. This only happens with multiple subprogs. In jitsubprogs(), we first call bpfintjitcompile() on each sub program. And then, we call it on each sub program again. jitdata is not freed in the first call of bpfintjitcompile(). Similarly we don't call bpfjitbinarypackfinalize() in the first call of bpfintjit_compile().
If bpfintjitcompile() failed for one sub program, we will call bpfjitbinarypackfinalize() for this sub program. However, we don't have a chance to call it for other sub programs. Then we will hit "goto outfree" in jitsubprogs(), and call bpfjitfree on some subprograms that haven't got bpfjitbinarypack_finalize() yet.
At this point, bpfjitbinarypackfree() is called and the whole 2MB page is freed erroneously.
Fix this with a custom bpfjitfree() for x8664, which calls bpfjitbinarypackfinalize() if necessary. Also, with custom bpfjitfree(), bpfprogaux->usebpfprogpack is not needed any more, remove it.
[1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1022a5498f6f745c3b5fd3f050a5e11e7ca354f0Fixedf91ce608a79c0db3e72bd63c23e011a9ebc31505
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1022a5498f6f745c3b5fd3f050a5e11e7ca354f0Fixed60e66074812dde9cde3d99cdd3caa9e40f1a4516
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1022a5498f6f745c3b5fd3f050a5e11e7ca354f0Fixed1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d
Affected versions
v5.*
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.10
v5.18.11
v5.18.12
v5.18.13
v5.18.14
v5.18.15
v5.18.16
v5.18.17
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.18.8
v5.18.9
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
Database specific
vanir_signatures
[
{
"id": "CVE-2022-50168-002fc856",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"68083722366567551101175512965773732359",
"243238257202882512563663289934547231892",
"95669023054766744021762102195019428980",
"16983029153148461345405980090903465667"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-0bf8ed60",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"94846356158531870246147584656945240133",
"254777010527345438571152936556941824615",
"238531476960152000009549965764693363210",
"245489188021088208785229421290628278341",
"116095334146299209532194721467894472738",
"164127248465311209830214897173301148412",
"161449547501913864579509528852651136465",
"338294946836487910930666718056370164656",
"21094160140336217693310735599111293682",
"23121901986041186570814484959619073810",
"130094148287847826454411103751554117442",
"237892919440061453878755449107563138435",
"227136918385806940907760091834600171209",
"145748346346307495844849090101831645112",
"308392914138282663726395646739235794237",
"249507379390750999354474822807550453672",
"225115067918895366016858677365720371192",
"49066310140934889080491427385171418730",
"308112243605558806269169700826571543737",
"59379858932281293868726162256009711954",
"146830376691490634367865061646651058843",
"189682478366823479252411701919184955370",
"260389654160768181362691463144008261311",
"9771732410050865860689029772409149163",
"266663872030527765373485459304453652349",
"330806428956025542735101225939924056555",
"41387303252544246465222163833853096363",
"109031156415352868057788901899213129047",
"320533241994490914977974990209354076112",
"259255917654017650788433265507181773454",
"315546642197935812948873938414437931558"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-305a2ac0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_hdr",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 268.0,
"function_hash": "277481853477731157663091131331310691790"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-4e2118d3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_prog_kallsyms_verify_off",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 157.0,
"function_hash": "39565714151295128563379545866033577788"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-595c28ac",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_prog_kallsyms_verify_off",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 157.0,
"function_hash": "39565714151295128563379545866033577788"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-6012af40",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/filter.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"6572563045928694046546332391455877396",
"287800872345538298183787930086522491728",
"297010234944105843602154273017813561651",
"143926145786700301884688591228178757261"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-635f387d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_pack_finalize",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 283.0,
"function_hash": "312325061804189314146041687005344325498"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-6ce3926f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_hdr",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 268.0,
"function_hash": "277481853477731157663091131331310691790"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-73f9f950",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"68083722366567551101175512965773732359",
"243238257202882512563663289934547231892",
"95669023054766744021762102195019428980",
"16983029153148461345405980090903465667"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-9b7fcc45",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_free",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 245.0,
"function_hash": "194501055255427526683440174480125734995"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-9db46702",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"94846356158531870246147584656945240133",
"254777010527345438571152936556941824615",
"238531476960152000009549965764693363210",
"245489188021088208785229421290628278341",
"116095334146299209532194721467894472738",
"164127248465311209830214897173301148412",
"161449547501913864579509528852651136465",
"338294946836487910930666718056370164656",
"21094160140336217693310735599111293682",
"23121901986041186570814484959619073810",
"130094148287847826454411103751554117442",
"237892919440061453878755449107563138435",
"227136918385806940907760091834600171209",
"145748346346307495844849090101831645112",
"308392914138282663726395646739235794237",
"249507379390750999354474822807550453672",
"225115067918895366016858677365720371192",
"49066310140934889080491427385171418730",
"308112243605558806269169700826571543737",
"59379858932281293868726162256009711954",
"146830376691490634367865061646651058843",
"189682478366823479252411701919184955370",
"260389654160768181362691463144008261311",
"9771732410050865860689029772409149163",
"266663872030527765373485459304453652349",
"330806428956025542735101225939924056555",
"41387303252544246465222163833853096363",
"109031156415352868057788901899213129047",
"320533241994490914977974990209354076112",
"259255917654017650788433265507181773454",
"315546642197935812948873938414437931558"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-b23a2d9a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_hdr",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 268.0,
"function_hash": "277481853477731157663091131331310691790"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-bf85cde7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_pack_finalize",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 283.0,
"function_hash": "312325061804189314146041687005344325498"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-c157109c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/filter.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"6572563045928694046546332391455877396",
"287800872345538298183787930086522491728",
"297010234944105843602154273017813561651",
"143926145786700301884688591228178757261"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-c34b84ae",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/filter.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"6572563045928694046546332391455877396",
"287800872345538298183787930086522491728",
"297010234944105843602154273017813561651",
"143926145786700301884688591228178757261"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-c3b701ba",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/bpf/core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"94846356158531870246147584656945240133",
"254777010527345438571152936556941824615",
"238531476960152000009549965764693363210",
"245489188021088208785229421290628278341",
"116095334146299209532194721467894472738",
"164127248465311209830214897173301148412",
"161449547501913864579509528852651136465",
"338294946836487910930666718056370164656",
"21094160140336217693310735599111293682",
"23121901986041186570814484959619073810",
"130094148287847826454411103751554117442",
"237892919440061453878755449107563138435",
"227136918385806940907760091834600171209",
"145748346346307495844849090101831645112",
"308392914138282663726395646739235794237",
"249507379390750999354474822807550453672",
"225115067918895366016858677365720371192",
"49066310140934889080491427385171418730",
"308112243605558806269169700826571543737",
"59379858932281293868726162256009711954",
"146830376691490634367865061646651058843",
"189682478366823479252411701919184955370",
"260389654160768181362691463144008261311",
"9771732410050865860689029772409149163",
"266663872030527765373485459304453652349",
"330806428956025542735101225939924056555",
"41387303252544246465222163833853096363",
"109031156415352868057788901899213129047",
"320533241994490914977974990209354076112",
"259255917654017650788433265507181773454",
"315546642197935812948873938414437931558"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-cca98367",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_free",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 245.0,
"function_hash": "194501055255427526683440174480125734995"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-e4707812",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_prog_kallsyms_verify_off",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 157.0,
"function_hash": "39565714151295128563379545866033577788"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-e4735b78",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@60e66074812dde9cde3d99cdd3caa9e40f1a4516",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"68083722366567551101175512965773732359",
"243238257202882512563663289934547231892",
"95669023054766744021762102195019428980",
"16983029153148461345405980090903465667"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2022-50168-ef65a5b4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d5f82d9dd477d5c66e0214a68c3e4f308eadd6d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_binary_pack_finalize",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 283.0,
"function_hash": "312325061804189314146041687005344325498"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-50168-efaf2e29",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f91ce608a79c0db3e72bd63c23e011a9ebc31505",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "bpf_jit_free",
"file": "kernel/bpf/core.c"
},
"digest": {
"length": 245.0,
"function_hash": "194501055255427526683440174480125734995"
},
"signature_type": "Function"
}
]