{ "threat_severity" : "Low", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Fix reference state management for synchronous callbacks", "id" : "2420299", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420299" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix reference state management for synchronous callbacks\nCurrently, verifier verifies callback functions (sync and async) as if\nthey will be executed once, (i.e. it explores execution state as if the\nfunction was being called once). The next insn to explore is set to\nstart of subprog and the exit from nested frame is handled using\ncurframe > 0 and prepare_func_exit. In case of async callback it uses a\ncustomized variant of push_stack simulating a kind of branch to set up\ncustom state and execution context for the async callback.\nWhile this approach is simple and works when callback really will be\nexecuted only once, it is unsafe for all of our current helpers which\nare for_each style, i.e. they execute the callback multiple times.\nA callback releasing acquired references of the caller may do so\nmultiple times, but currently verifier sees it as one call inside the\nframe, which then returns to caller. Hence, it thinks it released some\nreference that the cb e.g. got access through callback_ctx (register\nfilled inside cb from spilled typed register on stack).\nSimilarly, it may see that an acquire call is unpaired inside the\ncallback, so the caller will copy the reference state of callback and\nthen will have to release the register with new ref_obj_ids. But again,\nthe callback may execute multiple times, but the verifier will only\naccount for acquired references for a single symbolic execution of the\ncallback, which will cause leaks.\nNote that for async callback case, things are different. While currently\nwe have bpf_timer_set_callback which only executes it once, even for\nmultiple executions it would be safe, as reference state is NULL and\ncheck_reference_leak would force program to release state before\nBPF_EXIT. The state is also unaffected by analysis for the caller frame.\nHence async callback is safe.\nSince we want the reference state to be accessible, e.g. for pointers\nloaded from stack through callback_ctx's PTR_TO_STACK, we still have to\ncopy caller's reference_state to callback's bpf_func_state, but we\nenforce that whatever references it adds to that reference_state has\nbeen released before it hits BPF_EXIT. This requires introducing a new\ncallback_ref member in the reference state to distinguish between caller\nvs callee references. Hence, check_reference_leak now errors out if it\nsees we are in callback_fn and we have not released callback_ref refs.\nSince there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2\netc. we need to also distinguish between whether this particular ref\nbelongs to this callback frame or parent, and only error for our own, so\nwe store state->frameno (which is always non-zero for callbacks).\nIn short, callbacks can read parent reference_state, but cannot mutate\nit, to be able to use pointers acquired by the caller. They must only\nundo their changes (by releasing their own acquired_refs before\nBPF_EXIT) on top of caller reference_state before returning (at which\npoint the caller and callback state will match anyway, so no need to\ncopy it back to caller).", "A flaw was found in the Linux kernel's BPF verifier. The verifier incorrectly handles reference state management for synchronous callbacks that execute multiple times (for_each style helpers). This can lead to reference leaks when callbacks acquire references, or double-free conditions when callbacks release caller-owned references multiple times, potentially causing memory corruption or denial of service." ], "statement" : "This flaw requires the ability to load BPF programs, which is typically restricted to privileged users or those with CAP_BPF capability. The impact is limited to denial of service through resource exhaustion.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50650\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50650\nhttps://lore.kernel.org/linux-cve-announce/2025120937-CVE-2022-50650-fbae@gregkh/T" ], "name" : "CVE-2022-50650", "csaw" : false }