github - ghsa-hg9m-frc8-4qpx

GHSA-HG9M-FRC8-4QPX

Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix combination of jit blinding and pointers to bpf subprogs.

The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001 [ 36.990342] #PF: supervisor instruction fetch in kernel mode [ 36.990968] #PF: error_code(0x0010) - not-present page [ 36.994859] RIP: 0010:0x100000001 [ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7. [ 37.004091] Call Trace: [ 37.004351] [ 37.004576] ? bpf_loop+0x4d/0x70 [ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b

The jit blinding logic didn't recognize that ld_imm64 with an address of bpf subprogram is a special instruction and proceeded to randomize it. By itself it wouldn't have been an issue, but jit_subprogs() logic relies on two step process to JIT all subprogs and then JIT them again when addresses of all subprogs are known. Blinding process in the first JIT phase caused second JIT to miss adjustment of special ld_imm64.

Fix this issue by ignoring special ld_imm64 instructions that don't have user controlled constants and shouldn't be blinded.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-49552"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix combination of jit blinding and pointers to bpf subprogs.\n\nThe combination of jit blinding and pointers to bpf subprogs causes:\n[   36.989548] BUG: unable to handle page fault for address: 0000000100000001\n[   36.990342] #PF: supervisor instruction fetch in kernel mode\n[   36.990968] #PF: error_code(0x0010) - not-present page\n[   36.994859] RIP: 0010:0x100000001\n[   36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.\n[   37.004091] Call Trace:\n[   37.004351]  \u003cTASK\u003e\n[   37.004576]  ? bpf_loop+0x4d/0x70\n[   37.004932]  ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b\n\nThe jit blinding logic didn\u0027t recognize that ld_imm64 with an address\nof bpf subprogram is a special instruction and proceeded to randomize it.\nBy itself it wouldn\u0027t have been an issue, but jit_subprogs() logic\nrelies on two step process to JIT all subprogs and then JIT them\nagain when addresses of all subprogs are known.\nBlinding process in the first JIT phase caused second JIT to miss\nadjustment of special ld_imm64.\n\nFix this issue by ignoring special ld_imm64 instructions that don\u0027t have\nuser controlled constants and shouldn\u0027t be blinded.",
  "id": "GHSA-hg9m-frc8-4qpx",
  "modified": "2025-10-22T18:30:31Z",
  "published": "2025-10-22T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49552"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b6313cf99b0d51b49aeaea98ec76ca8161ecb80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a029b02b47dd5bb87a21550d9d9a80cb4dd3f714"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d106a3e96fca30e44081eae9c27aab28fc132a46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2022-49552 (GCVE-0-2022-49552)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:14 – Updated: 2025-05-04 08:40

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix combination of jit blinding and pointers to bpf subprogs. The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001 [ 36.990342] #PF: supervisor instruction fetch in kernel mode [ 36.990968] #PF: error_code(0x0010) - not-present page [ 36.994859] RIP: 0010:0x100000001 [ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7. [ 37.004091] Call Trace: [ 37.004351] <TASK> [ 37.004576] ? bpf_loop+0x4d/0x70 [ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b The jit blinding logic didn't recognize that ld_imm64 with an address of bpf subprogram is a special instruction and proceeded to randomize it. By itself it wouldn't have been an issue, but jit_subprogs() logic relies on two step process to JIT all subprogs and then JIT them again when addresses of all subprogs are known. Blinding process in the first JIT phase caused second JIT to miss adjustment of special ld_imm64. Fix this issue by ignoring special ld_imm64 instructions that don't have user controlled constants and shouldn't be blinded.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a029b02b47dd5bb87…
	https://git.kernel.org/stable/c/d106a3e96fca30e44…
	https://git.kernel.org/stable/c/4b6313cf99b0d51b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < a029b02b47dd5bb87a21550d9d9a80cb4dd3f714 (git)
Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < d106a3e96fca30e44081eae9c27aab28fc132a46 (git)
Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < 4b6313cf99b0d51b49aeaea98ec76ca8161ecb80 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.17.13 , ≤ 5.17.* (semver)
Unaffected: 5.18.2 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a029b02b47dd5bb87a21550d9d9a80cb4dd3f714",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            },
            {
              "lessThan": "d106a3e96fca30e44081eae9c27aab28fc132a46",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            },
            {
              "lessThan": "4b6313cf99b0d51b49aeaea98ec76ca8161ecb80",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix combination of jit blinding and pointers to bpf subprogs.\n\nThe combination of jit blinding and pointers to bpf subprogs causes:\n[   36.989548] BUG: unable to handle page fault for address: 0000000100000001\n[   36.990342] #PF: supervisor instruction fetch in kernel mode\n[   36.990968] #PF: error_code(0x0010) - not-present page\n[   36.994859] RIP: 0010:0x100000001\n[   36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.\n[   37.004091] Call Trace:\n[   37.004351]  \u003cTASK\u003e\n[   37.004576]  ? bpf_loop+0x4d/0x70\n[   37.004932]  ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b\n\nThe jit blinding logic didn\u0027t recognize that ld_imm64 with an address\nof bpf subprogram is a special instruction and proceeded to randomize it.\nBy itself it wouldn\u0027t have been an issue, but jit_subprogs() logic\nrelies on two step process to JIT all subprogs and then JIT them\nagain when addresses of all subprogs are known.\nBlinding process in the first JIT phase caused second JIT to miss\nadjustment of special ld_imm64.\n\nFix this issue by ignoring special ld_imm64 instructions that don\u0027t have\nuser controlled constants and shouldn\u0027t be blinded."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:40:23.364Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a029b02b47dd5bb87a21550d9d9a80cb4dd3f714"
        },
        {
          "url": "https://git.kernel.org/stable/c/d106a3e96fca30e44081eae9c27aab28fc132a46"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b6313cf99b0d51b49aeaea98ec76ca8161ecb80"
        }
      ],
      "title": "bpf: Fix combination of jit blinding and pointers to bpf subprogs.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49552",
    "datePublished": "2025-02-26T02:14:01.696Z",
    "dateReserved": "2025-02-26T02:08:31.590Z",
    "dateUpdated": "2025-05-04T08:40:23.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-HG9M-FRC8-4QPX

CVE-2022-49552 (GCVE-0-2022-49552)

Tags

Sightings

Nomenclature