ghsa-vvp4-j3wj-9jvq
Vulnerability from github
Published
2025-05-01 15:31
Modified
2025-05-07 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory leaks in __check_func_call

kmemleak reports this issue:

unreferenced object 0xffff88817139d000 (size 2048): comm "test_progs", pid 33246, jiffies 4307381979 (age 45851.820s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000045f075f0>] kmalloc_trace+0x27/0xa0 [<0000000098b7c90a>] __check_func_call+0x316/0x1230 [<00000000b4c3c403>] check_helper_call+0x172e/0x4700 [<00000000aa3875b7>] do_check+0x21d8/0x45e0 [<000000001147357b>] do_check_common+0x767/0xaf0 [<00000000b5a595b4>] bpf_check+0x43e3/0x5bc0 [<0000000011e391b1>] bpf_prog_load+0xf26/0x1940 [<0000000007f765c0>] __sys_bpf+0xd2c/0x3650 [<00000000839815d6>] __x64_sys_bpf+0x75/0xc0 [<00000000946ee250>] do_syscall_64+0x3b/0x90 [<0000000000506b7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root case here is: In function prepare_func_exit(), the callee is not released in the abnormal scenario after "state->curframe--;". To fix, move "state->curframe--;" to the very bottom of the function, right when we free callee and reset frame[] pointer to NULL, as Andrii suggested.

In addition, function __check_func_call() has a similar problem. In the abnormal scenario before "state->curframe++;", the callee also should be released by free_func_state().

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2022-49837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory leaks in __check_func_call\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff88817139d000 (size 2048):\n  comm \"test_progs\", pid 33246, jiffies 4307381979 (age 45851.820s)\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [\u003c0000000045f075f0\u003e] kmalloc_trace+0x27/0xa0\n    [\u003c0000000098b7c90a\u003e] __check_func_call+0x316/0x1230\n    [\u003c00000000b4c3c403\u003e] check_helper_call+0x172e/0x4700\n    [\u003c00000000aa3875b7\u003e] do_check+0x21d8/0x45e0\n    [\u003c000000001147357b\u003e] do_check_common+0x767/0xaf0\n    [\u003c00000000b5a595b4\u003e] bpf_check+0x43e3/0x5bc0\n    [\u003c0000000011e391b1\u003e] bpf_prog_load+0xf26/0x1940\n    [\u003c0000000007f765c0\u003e] __sys_bpf+0xd2c/0x3650\n    [\u003c00000000839815d6\u003e] __x64_sys_bpf+0x75/0xc0\n    [\u003c00000000946ee250\u003e] do_syscall_64+0x3b/0x90\n    [\u003c0000000000506b7f\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root case here is: In function prepare_func_exit(), the callee is\nnot released in the abnormal scenario after \"state-\u003ecurframe--;\". To\nfix, move \"state-\u003ecurframe--;\" to the very bottom of the function,\nright when we free callee and reset frame[] pointer to NULL, as Andrii\nsuggested.\n\nIn addition, function __check_func_call() has a similar problem. In\nthe abnormal scenario before \"state-\u003ecurframe++;\", the callee also\nshould be released by free_func_state().",
  "id": "GHSA-vvp4-j3wj-9jvq",
  "modified": "2025-05-07T15:31:24Z",
  "published": "2025-05-01T15:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49837"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83946d772e756734a900ef99dbe0aeda506adf37"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4944497827a3d14bc5a26dbcfb7433eb5a956c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb86559a691cea5fa63e57a03ec3dc9c31e97955"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…