In _regcombine64into_32 of verifier.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "212800518964856369389521039055908099567", "82273670456639605227239471073467140106", "50008848994886776224202410070084048693", "48815854679998796205627619671552671693", "56117137677885794378404042146766944008", "7714330957514461825118800607800836312", "194023082526570537671120246501057808347", "98686218519325842007826455435370768894", "138936556559382611282609909065800626524", "43062552875737140688457285069473463391", "336457266308252773091089041388094062563", "130621889521883767811136362258739594220", "338345996073162864158169348820637845904" ] }, "id": "PUB-A-189614572-687c26a4", "source": "https://android.googlesource.com/kernel/common/+/10bf4e83167cc68595b85fd73bb91e8f2c086e36", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" }, { "digest": { "length": 515.0, "function_hash": "338367937152586792507715085095752982057" }, "id": "PUB-A-189614572-6967b176", "source": "https://android.googlesource.com/kernel/common/+/10bf4e83167cc68595b85fd73bb91e8f2c086e36", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "__reg_combine_64_into_32" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "111124125518037698107137039674281182555", "160228749372670470806794121772081665154", "240077756689326179944605277824869898578", "293048743713854453730306841156756314741" ] }, "id": "PUB-A-189614572-a2b0ebc8", "source": "https://android.googlesource.com/kernel/common/+/10bf4e83167cc68595b85fd73bb91e8f2c086e36", "deprecated": true, "signature_version": "v1", "target": { "file": "tools/testing/selftests/bpf/verifier/array_access.c" }, "signature_type": "Line" }, { "digest": { "length": 112.0, "function_hash": "249470159820716899772598315201185433996" }, "id": "PUB-A-189614572-ba532bbf", "source": "https://android.googlesource.com/kernel/common/+/10bf4e83167cc68595b85fd73bb91e8f2c086e36", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "__reg64_bound_u32" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/10bf4e83167cc68595b85fd73bb91e8f2c086e36" ], "spl": "2022-06-05", "severity": "Moderate", "types": [ "EoP" ] }