FKIE_CVE-2022-50654

Vulnerability from fkie_nvd - Published: 2025-12-09 01:16 - Updated: 2025-12-09 18:37
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix panic due to wrong pageattr of im->image In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampoline in bpf_trampoline_update, and then modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag will be configured, and arch_prepare_bpf_trampoline will be re-executed. At this time, because the pageattr of im->image is rox, arch_prepare_bpf_trampoline will read and write im->image, which causes a fault. as follows: insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c bpftrace -e 'kretfunc:cmdline_proc_show {}' BUG: unable to handle page fault for address: ffffffffa0206000 PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5 RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0 RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202 RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030 RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400 R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8 R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10 FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bpf_trampoline_update+0x25a/0x6b0 __bpf_trampoline_link_prog+0x101/0x240 bpf_trampoline_link_prog+0x2d/0x50 bpf_tracing_prog_attach+0x24c/0x530 bpf_raw_tp_link_attach+0x73/0x1d0 __sys_bpf+0x100e/0x2570 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x5b/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With this patch, when modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset to nx+rw.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7f656fff955ccb216c40fa188a24c05fa40985a5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ed1d9aeef5842ecacb660fce933613b58af1e00
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9d383cbf812a3b4094c089aa5f5d41a3bb4531d
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix panic due to wrong pageattr of im-\u003eimage\n\nIn the scenario where livepatch and kretfunc coexist, the pageattr of\nim-\u003eimage is rox after arch_prepare_bpf_trampoline in\nbpf_trampoline_update, and then modify_fentry or register_fentry returns\n-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag\nwill be configured, and arch_prepare_bpf_trampoline will be re-executed.\n\nAt this time, because the pageattr of im-\u003eimage is rox,\narch_prepare_bpf_trampoline will read and write im-\u003eimage, which causes\na fault. as follows:\n\n  insmod livepatch-sample.ko    # samples/livepatch/livepatch-sample.c\n  bpftrace -e \u0027kretfunc:cmdline_proc_show {}\u0027\n\nBUG: unable to handle page fault for address: ffffffffa0206000\nPGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061\nOops: 0003 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 270 Comm: bpftrace Tainted: G            E K    6.1.0 #5\nRIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0\nRSP: 0018:ffffc90001083ad8 EFLAGS: 00010202\nRAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000\nRDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030\nRBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400\nR10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8\nR13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10\nFS:  00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n bpf_trampoline_update+0x25a/0x6b0\n __bpf_trampoline_link_prog+0x101/0x240\n bpf_trampoline_link_prog+0x2d/0x50\n bpf_tracing_prog_attach+0x24c/0x530\n bpf_raw_tp_link_attach+0x73/0x1d0\n __sys_bpf+0x100e/0x2570\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x5b/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWith this patch, when modify_fentry or register_fentry returns -EAGAIN\nfrom bpf_tramp_ftrace_ops_func, the pageattr of im-\u003eimage will be reset\nto nx+rw."
    }
  ],
  "id": "CVE-2022-50654",
  "lastModified": "2025-12-09T18:37:13.640",
  "metrics": {},
  "published": "2025-12-09T01:16:48.340",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7f656fff955ccb216c40fa188a24c05fa40985a5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9ed1d9aeef5842ecacb660fce933613b58af1e00"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d9d383cbf812a3b4094c089aa5f5d41a3bb4531d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.