ghsa-vvp4-j3wj-9jvq
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix memory leaks in __check_func_call
kmemleak reports this issue:
unreferenced object 0xffff88817139d000 (size 2048): comm "test_progs", pid 33246, jiffies 4307381979 (age 45851.820s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000045f075f0>] kmalloc_trace+0x27/0xa0 [<0000000098b7c90a>] __check_func_call+0x316/0x1230 [<00000000b4c3c403>] check_helper_call+0x172e/0x4700 [<00000000aa3875b7>] do_check+0x21d8/0x45e0 [<000000001147357b>] do_check_common+0x767/0xaf0 [<00000000b5a595b4>] bpf_check+0x43e3/0x5bc0 [<0000000011e391b1>] bpf_prog_load+0xf26/0x1940 [<0000000007f765c0>] __sys_bpf+0xd2c/0x3650 [<00000000839815d6>] __x64_sys_bpf+0x75/0xc0 [<00000000946ee250>] do_syscall_64+0x3b/0x90 [<0000000000506b7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root case here is: In function prepare_func_exit(), the callee is not released in the abnormal scenario after "state->curframe--;". To fix, move "state->curframe--;" to the very bottom of the function, right when we free callee and reset frame[] pointer to NULL, as Andrii suggested.
In addition, function __check_func_call() has a similar problem. In the abnormal scenario before "state->curframe++;", the callee also should be released by free_func_state().
{ "affected": [], "aliases": [ "CVE-2022-49837" ], "database_specific": { "cwe_ids": [ "CWE-401" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2025-05-01T15:16:07Z", "severity": "MODERATE" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory leaks in __check_func_call\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff88817139d000 (size 2048):\n comm \"test_progs\", pid 33246, jiffies 4307381979 (age 45851.820s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c0000000045f075f0\u003e] kmalloc_trace+0x27/0xa0\n [\u003c0000000098b7c90a\u003e] __check_func_call+0x316/0x1230\n [\u003c00000000b4c3c403\u003e] check_helper_call+0x172e/0x4700\n [\u003c00000000aa3875b7\u003e] do_check+0x21d8/0x45e0\n [\u003c000000001147357b\u003e] do_check_common+0x767/0xaf0\n [\u003c00000000b5a595b4\u003e] bpf_check+0x43e3/0x5bc0\n [\u003c0000000011e391b1\u003e] bpf_prog_load+0xf26/0x1940\n [\u003c0000000007f765c0\u003e] __sys_bpf+0xd2c/0x3650\n [\u003c00000000839815d6\u003e] __x64_sys_bpf+0x75/0xc0\n [\u003c00000000946ee250\u003e] do_syscall_64+0x3b/0x90\n [\u003c0000000000506b7f\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root case here is: In function prepare_func_exit(), the callee is\nnot released in the abnormal scenario after \"state-\u003ecurframe--;\". To\nfix, move \"state-\u003ecurframe--;\" to the very bottom of the function,\nright when we free callee and reset frame[] pointer to NULL, as Andrii\nsuggested.\n\nIn addition, function __check_func_call() has a similar problem. In\nthe abnormal scenario before \"state-\u003ecurframe++;\", the callee also\nshould be released by free_func_state().", "id": "GHSA-vvp4-j3wj-9jvq", "modified": "2025-05-07T15:31:24Z", "published": "2025-05-01T15:31:49Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49837" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/83946d772e756734a900ef99dbe0aeda506adf37" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d4944497827a3d14bc5a26dbcfb7433eb5a956c0" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/eb86559a691cea5fa63e57a03ec3dc9c31e97955" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.