{ "threat_severity" : "Moderate", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: BPF: Fix potential bad pointer dereference in bpf_sys_bpf()", "id" : "2373533", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373533" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBPF: Fix potential bad pointer dereference in bpf_sys_bpf()\nThe bpf_sys_bpf() helper function allows an eBPF program to load another\neBPF program from within the kernel. In this case the argument union\nbpf_attr pointer (as well as the insns and license pointers inside) is a\nkernel address instead of a userspace address (which is the case of a\nusual bpf() syscall). To make the memory copying process in the syscall\nwork in both cases, bpfptr_t was introduced to wrap around the pointer\nand distinguish its origin. Specifically, when copying memory contents\nfrom a bpfptr_t, a copy_from_user() is performed in case of a userspace\naddress and a memcpy() is performed for a kernel address.\nThis can lead to problems because the in-kernel pointer is never checked\nfor validity. The problem happens when an eBPF syscall program tries to\ncall bpf_sys_bpf() to load a program but provides a bad insns pointer --\nsay 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()\nwhich would then call bpf_prog_load() to load the program.\nbpf_prog_load() is responsible for copying the eBPF instructions to the\nnewly allocated memory for the program; it creates a kernel bpfptr_t for\ninsns and invokes copy_from_bpfptr(). Internally, all bpfptr_t\noperations are backed by the corresponding sockptr_t operations, which\nperforms direct memcpy() on kernel pointers for copy_from/strncpy_from\noperations. Therefore, the code is always happy to dereference the bad\npointer to trigger a un-handle-able page fault and in turn an oops.\nHowever, this is not supposed to happen because at that point the eBPF\nprogram is already verified and should not cause a memory error.\nSample KASAN trace:\n[ 25.685056][ T228] ==================================================================\n[ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30\n[ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228\n[ 25.686732][ T228]\n[ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7\n[ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n[ 25.687991][ T228] Call Trace:\n[ 25.688223][ T228] \n[ 25.688429][ T228] dump_stack_lvl+0x73/0x9e\n[ 25.688747][ T228] print_report+0xea/0x200\n[ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.689401][ T228] ? _printk+0x54/0x6e\n[ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0\n[ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.690412][ T228] kasan_report+0xb5/0xe0\n[ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0\n[ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.691734][ T228] memcpy+0x25/0x60\n[ 25.692000][ T228] copy_from_bpfptr+0x21/0x30\n[ 25.692328][ T228] bpf_prog_load+0x604/0x9e0\n[ 25.692653][ T228] ? cap_capable+0xb4/0xe0\n[ 25.692956][ T228] ? security_capable+0x4f/0x70\n[ 25.693324][ T228] __sys_bpf+0x3af/0x580\n[ 25.693635][ T228] bpf_sys_bpf+0x45/0x240\n[ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd\n[ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0\n[ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0\n[ 25.695144][ T228] bpf_prog_test_run+0x172/0x190\n[ 25.695487][ T228] __sys_bpf+0x2c5/0x580\n[ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50\n[ 25.696084][ T228] do_syscall_64+0x60/0x90\n[ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60\n[ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0\n[ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40\n[ 25.697586][ T228] ? do_syscall_64+0x6e/0x90\n[ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 25.698312][ T228] RIP: 0033:0x7f6d543fb759\n[ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d \n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-11-08T00:00:00Z", "advisory" : "RHSA-2022:7683", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-425.3.1.el8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50069\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50069\nhttps://lore.kernel.org/linux-cve-announce/2025061852-CVE-2022-50069-9dba@gregkh/T" ], "name" : "CVE-2022-50069", "csaw" : false }