CVE-2022-50168

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50168
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50168.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50168
Downstream
Published
2025-06-18T11:15:47Z
Modified
2025-08-09T19:01:27Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, x86: fix freeing of not-finalized bpfprogpack

syzbot reported a few issues with bpfprogpack [1], [2]. This only happens with multiple subprogs. In jitsubprogs(), we first call bpfintjitcompile() on each sub program. And then, we call it on each sub program again. jitdata is not freed in the first call of bpfintjitcompile(). Similarly we don't call bpfjitbinarypackfinalize() in the first call of bpfintjit_compile().

If bpfintjitcompile() failed for one sub program, we will call bpfjitbinarypackfinalize() for this sub program. However, we don't have a chance to call it for other sub programs. Then we will hit "goto outfree" in jitsubprogs(), and call bpfjitfree on some subprograms that haven't got bpfjitbinarypack_finalize() yet.

At this point, bpfjitbinarypackfree() is called and the whole 2MB page is freed erroneously.

Fix this with a custom bpfjitfree() for x8664, which calls bpfjitbinarypackfinalize() if necessary. Also, with custom bpfjitfree(), bpfprogaux->usebpfprogpack is not needed any more, remove it.

[1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445

References

Affected packages