cve/published/2022/CVE-2022-48929.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48929: bpf: Fix crash due to out of bounds access into reg2btf_ids.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Fix crash due to out of bounds access into reg2btf_ids.

 When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
 kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
 reg type to the appropriate btf_vmlinux BTF ID, however
 commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
 moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
 the base register types, and defined other variants using type flag
 composition. However, now, the direct usage of reg->type to index into
 reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
 out of bounds access and kernel crash on dereference of bad pointer.

 The Linux kernel CVE team has assigned CVE-2022-48929 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.16.11 with commit 77459bc4d5e2c6f24db845780b4d9d60cf82d06a and fixed in 5.16.12 with commit f0ce1bc9e0235dd7412240be493d7ea65ed9eadc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48929
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/btf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae
 	https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc
 	https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48929: bpf: Fix crash due to out of bounds access into reg2btf_ids.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Fix crash due to out of bounds access into reg2btf_ids.

	When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
	kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
	reg type to the appropriate btf_vmlinux BTF ID, however
	commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX \| PTR_MAYBE_NULL")
	moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
	the base register types, and defined other variants using type flag
	composition. However, now, the direct usage of reg->type to index into
	reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
	out of bounds access and kernel crash on dereference of bad pointer.

	The Linux kernel CVE team has assigned CVE-2022-48929 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.16.11 with commit 77459bc4d5e2c6f24db845780b4d9d60cf82d06a and fixed in 5.16.12 with commit f0ce1bc9e0235dd7412240be493d7ea65ed9eadc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48929
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/btf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae
	https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc
	https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1