GHSA-F4WF-P3GV-292P

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: prevent decl_tag from being referenced in func_proto

Syzkaller was able to hit the following issue:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946 btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Modules linked in: CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91 e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44 RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005 RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011 FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: btf_func_proto_check kernel/bpf/btf.c:4447 [inline] btf_check_all_types kernel/bpf/btf.c:4723 [inline] btf_parse_type_sec kernel/bpf/btf.c:4752 [inline] btf_parse kernel/bpf/btf.c:5026 [inline] btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892 bpf_btf_load kernel/bpf/syscall.c:4324 [inline] __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline] __se_sys_bpf kernel/bpf/syscall.c:5067 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0fbae41c69 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69 RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012 RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Looks like it tries to create a func_proto which return type is decl_tag. For the details, see Martin's spot on analysis in [0].

0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50862"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:00Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: prevent decl_tag from being referenced in func_proto\n\nSyzkaller was able to hit the following issue:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946\nbtf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nModules linked in:\nCPU: 0 PID: 3609 Comm: syz-executor361 Not tainted\n6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 09/22/2022\nRIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nCode: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91\ne4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff \u003c0f\u003e 0b 45\n31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44\nRSP: 0018:ffffc90003cefb40 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005\nRBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e\nR10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011\nFS:  000055555641b300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n btf_func_proto_check kernel/bpf/btf.c:4447 [inline]\n btf_check_all_types kernel/bpf/btf.c:4723 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]\n btf_parse kernel/bpf/btf.c:5026 [inline]\n btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892\n bpf_btf_load kernel/bpf/syscall.c:4324 [inline]\n __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010\n __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f0fbae41c69\nCode: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69\nRDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012\nRBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nLooks like it tries to create a func_proto which return type is\ndecl_tag. For the details, see Martin\u0027s spot on analysis in [0].\n\n0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c",
  "id": "GHSA-f4wf-p3gv-292p",
  "modified": "2025-12-30T15:30:28Z",
  "published": "2025-12-30T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50862"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.