ghsa-34vw-87pm-jfg6
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

libbpf: Use elf_getshdrnum() instead of e_shnum

This commit replace e_shnum with the elf_getshdrnum() helper to fix two oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both reports are incorrectly marked as fixed and while still being reproducible in the latest libbpf.

# clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704 libbpf: loading object 'fuzz-object' from buffer libbpf: sec_cnt is 0 libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2 libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1 ================================================================= ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8 WRITE of size 4 at 0x6020000000c0 thread T0 SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24 #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16 #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20 ...

The issue lie in libbpf's direct use of e_shnum field in ELF header as the section header count. Where as libelf implemented an extra logic that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the initial section header as the real section header count (part of ELF spec to accommodate situation where section header counter is larger than SHN_LORESERVE).

The above inconsistency lead to libbpf writing into a zero-entry calloc area. So intead of using e_shnum directly, use the elf_getshdrnum() helper provided by libelf to retrieve the section header counter into sec_cnt.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50450"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:37Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Use elf_getshdrnum() instead of e_shnum\n\nThis commit replace e_shnum with the elf_getshdrnum() helper to fix two\noss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both\nreports are incorrectly marked as fixed and while still being\nreproducible in the latest libbpf.\n\n  # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704\n  libbpf: loading object \u0027fuzz-object\u0027 from buffer\n  libbpf: sec_cnt is 0\n  libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2\n  libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1\n  =================================================================\n  ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8\n  WRITE of size 4 at 0x6020000000c0 thread T0\n  SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)\n      #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24\n      #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16\n      #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20\n      ...\n\nThe issue lie in libbpf\u0027s direct use of e_shnum field in ELF header as\nthe section header count. Where as libelf implemented an extra logic\nthat, when e_shnum == 0 \u0026\u0026 e_shoff != 0, will use sh_size member of the\ninitial section header as the real section header count (part of ELF\nspec to accommodate situation where section header counter is larger\nthan SHN_LORESERVE).\n\nThe above inconsistency lead to libbpf writing into a zero-entry calloc\narea. So intead of using e_shnum directly, use the elf_getshdrnum()\nhelper provided by libelf to retrieve the section header counter into\nsec_cnt.",
  "id": "GHSA-34vw-87pm-jfg6",
  "modified": "2025-10-01T12:30:28Z",
  "published": "2025-10-01T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50450"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51deedc9b8680953437dfe359e5268120de10e30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/622ff59742fe7bf53c06a57332040fa0e08b8242"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/854f8c61422053f71e3cf0c4abf757c8aa5c748d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.