CVE-2022-49548 (GCVE-0-2022-49548)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:40
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in bpf_trampoline_get_progs() will cause progs array overflow as the progs field in the bpf_tramp_progs struct can only hold at most BPF_MAX_TRAMP_PROGS bpf programs.
Impacted products
Vendor Product Version
Linux Linux Version: 88fd9e5352fe05f7fe57778293aebd4cd106960b
Version: 88fd9e5352fe05f7fe57778293aebd4cd106960b
Version: 88fd9e5352fe05f7fe57778293aebd4cd106960b
Version: 88fd9e5352fe05f7fe57778293aebd4cd106960b
Version: 88fd9e5352fe05f7fe57778293aebd4cd106960b
Create a notification for this product.
   Linux Linux Version: 5.7
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f845de2863334bed4f362e95853f5e7bc323737",
              "status": "affected",
              "version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
              "versionType": "git"
            },
            {
              "lessThan": "e36452d5da6325df7c10cffc60a9e68d21e2606d",
              "status": "affected",
              "version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
              "versionType": "git"
            },
            {
              "lessThan": "32c4559c61652f24c9fdd5440342196fe37453bc",
              "status": "affected",
              "version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
              "versionType": "git"
            },
            {
              "lessThan": "4f8897bcc20b9ae44758e0572538d741ab66f0dc",
              "status": "affected",
              "version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
              "versionType": "git"
            },
            {
              "lessThan": "a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d",
              "status": "affected",
              "version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.120",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.45",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix potential array overflow in bpf_trampoline_get_progs()\n\nThe cnt value in the \u0027cnt \u003e= BPF_MAX_TRAMP_PROGS\u0027 check does not\ninclude BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of\nthe attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline\ncan exceed BPF_MAX_TRAMP_PROGS.\n\nWhen this happens, the assignment \u0027*progs++ = aux-\u003eprog\u0027 in\nbpf_trampoline_get_progs() will cause progs array overflow as the\nprogs field in the bpf_tramp_progs struct can only hold at most\nBPF_MAX_TRAMP_PROGS bpf programs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:40:18.170Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f845de2863334bed4f362e95853f5e7bc323737"
        },
        {
          "url": "https://git.kernel.org/stable/c/e36452d5da6325df7c10cffc60a9e68d21e2606d"
        },
        {
          "url": "https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f8897bcc20b9ae44758e0572538d741ab66f0dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d"
        }
      ],
      "title": "bpf: Fix potential array overflow in bpf_trampoline_get_progs()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49548",
    "datePublished": "2025-02-26T02:13:59.797Z",
    "dateReserved": "2025-02-26T02:08:31.590Z",
    "dateUpdated": "2025-05-04T08:40:18.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49548\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:01:30.683\",\"lastModified\":\"2025-03-10T21:32:17.530\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix potential array overflow in bpf_trampoline_get_progs()\\n\\nThe cnt value in the \u0027cnt \u003e= BPF_MAX_TRAMP_PROGS\u0027 check does not\\ninclude BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of\\nthe attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline\\ncan exceed BPF_MAX_TRAMP_PROGS.\\n\\nWhen this happens, the assignment \u0027*progs++ = aux-\u003eprog\u0027 in\\nbpf_trampoline_get_progs() will cause progs array overflow as the\\nprogs field in the bpf_tramp_progs struct can only hold at most\\nBPF_MAX_TRAMP_PROGS bpf programs.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Se corrige un posible desbordamiento de matriz en bpf_trampoline_get_progs() El valor cnt en la comprobaci\u00f3n \u0027cnt \u0026gt;= BPF_MAX_TRAMP_PROGS\u0027 no incluye programas bpf BPF_TRAMP_MODIFY_RETURN, por lo que la cantidad de programas bpf BPF_TRAMP_MODIFY_RETURN adjuntos en un trampol\u00edn puede superar a BPF_MAX_TRAMP_PROGS. Cuando esto sucede, la asignaci\u00f3n \u0027*progs++ = aux-\u0026gt;prog\u0027 en bpf_trampoline_get_progs() provocar\u00e1 un desbordamiento de la matriz progs, ya que el campo progs en la estructura bpf_tramp_progs solo puede contener como m\u00e1ximo programas bpf BPF_MAX_TRAMP_PROGS.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-129\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7\",\"versionEndExcluding\":\"5.10.120\",\"matchCriteriaId\":\"78702CD4-AEE5-45F6-90C7-1EB25AF09D08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.45\",\"matchCriteriaId\":\"08D699AD-F4CE-4BDD-A97E-4997299C7712\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.17.13\",\"matchCriteriaId\":\"192FC54B-5367-49D6-B410-0285F14665B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.18\",\"versionEndExcluding\":\"5.18.2\",\"matchCriteriaId\":\"9FF255A1-64F4-4E31-AF44-C92FB8773BA2\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f8897bcc20b9ae44758e0572538d741ab66f0dc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7f845de2863334bed4f362e95853f5e7bc323737\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e36452d5da6325df7c10cffc60a9e68d21e2606d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…