CVE-2022-49228

{"id": "CVE-2022-49228", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:59.840", "references": [{"url": "https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n ...\n Call Trace:\n <TASK>\n btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n btf_parse kernel/bpf/btf.c:4513 [inline]\n btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n type 0: void\n type 1: int\n type 2: decl_tag to func type 3\n type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own 'resolve' callback functions\nand hence handled properly in kernel.\nBut func type doesn't have 'resolve' callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement 'resolve' callback\nfunc type properly. The 'resolve' callback will be also called\nin btf_check_all_types() for func types."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Se corrige un error de btf decl_tag al etiquetar una funci\u00f3n syzbot inform\u00f3 un error de btf decl_tag con el siguiente seguimiento de pila: error de protecci\u00f3n general, probablemente para una direcci\u00f3n no can\u00f3nica 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en el rango [0x000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 No contaminado 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:231 [en l\u00ednea] RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Seguimiento de llamadas: btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198 btf_check_all_types kernel/bpf/btf.c:4239 [en l\u00ednea] btf_parse_type_sec kernel/bpf/btf.c:4280 [en l\u00ednea] btf_parse kernel/bpf/btf.c:4513 [en l\u00ednea] btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpf_btf_load kernel/bpf/syscall.c:4039 [en l\u00ednea] __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 __do_sys_bpf kernel/bpf/syscall.c:4738 [en l\u00ednea] __se_sys_bpf kernel/bpf/syscall.c:4736 [en l\u00ednea] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae El error kasan se activa con un BTF ilegal como el siguiente: tipo 0: void tipo 1: int tipo 2: decl_tag a func tipo 3 tipo 3: func a func_proto tipo 8 El n\u00famero total de tipos es 4 y el tipo 3 es ilegal ya que su tipo func_proto est\u00e1 fuera de rango. Actualmente, el tipo de destino de decl_tag puede ser struct/union, var o func. Tanto struct/union como var implementaron sus propias funciones de devoluci\u00f3n de llamada 'resolve' y, por lo tanto, se manejan correctamente en el kernel. Pero el tipo func no tiene la funci\u00f3n de devoluci\u00f3n de llamada 'resolve'. Cuando btf_decl_tag_resolve() intenta verificar el tipo func, intenta obtener vlen de su tipo func_proto, lo que activ\u00f3 el error kasan anterior. Para solucionar el problema, btf_decl_tag_resolve() debe ejecutar btf_func_check() antes de intentar acceder al tipo func_proto. En la implementaci\u00f3n actual, el tipo func se verifica con btf_func_check() en la funci\u00f3n de verificaci\u00f3n principal btf_check_all_types(). Para solucionar el problema de kasan anterior, implementemos la devoluci\u00f3n de llamada 'resolve' para el tipo func de manera adecuada. La devoluci\u00f3n de llamada 'resolve' tambi\u00e9n se llamar\u00e1 en btf_check_all_types() para los tipos func."}], "lastModified": "2025-09-22T21:02:30.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}