lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025050140-CVE-2022-49840-5186@gregkh>
Date: Thu,  1 May 2025 16:10:30 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-49840: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

We got a syzkaller problem because of aarch64 alignment fault
if KFENCE enabled. When the size from user bpf program is an odd
number, like 399, 407, etc, it will cause the struct skb_shared_info's
unaligned access. As seen below:

  BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

  Use-after-free read at 0xffff6254fffac077 (in kfence-#213):
   __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]
   arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
   arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]
   atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]
   __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
   skb_clone+0xf4/0x214 net/core/skbuff.c:1481
   ____bpf_clone_redirect net/core/filter.c:2433 [inline]
   bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420
   bpf_prog_d3839dd9068ceb51+0x80/0x330
   bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]
   bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53
   bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594
   bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
   __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
   __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

  kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

  allocated by task 15074 on cpu 0 at 1342.585390s:
   kmalloc include/linux/slab.h:568 [inline]
   kzalloc include/linux/slab.h:675 [inline]
   bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191
   bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512
   bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
   __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
   __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
   __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

To fix the problem, we adjust @size so that (@size + @hearoom) is a
multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info
is aligned to a cache line.

The Linux kernel CVE team has assigned CVE-2022-49840 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.14.300 with commit 047824a730699c6c66df43306b80f700c9dfc2fd
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 4.19.267 with commit 730fb1ef974a13915bc7651364d8b3318891cd70
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.4.225 with commit 7a704dbfd3735304e261f2787c52fbc7c3884736
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.10.156 with commit e60f37a1d379c821c17b08f366412dce9ef3d99f
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 5.15.80 with commit eaa8edd86514afac9deb9bf9a5053e74f37edf40
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.0.10 with commit 1b597f2d6a55e9f549989913860ad5170da04964
	Issue introduced in 4.12 with commit 1cf1cae963c2e6032aebe1637e995bc2f5d330f4 and fixed in 6.1 with commit d3fd203f36d46aa29600a72d57a1b61af80e4a25

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49840
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/bpf/test_run.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
	https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70
	https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736
	https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f
	https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40
	https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964
	https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ