CVE-2022-48940 - OpenCVE

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322
https://git.kernel.org/stable/c/a8abb0c3dc1e28454851a00f8b7333d9695d566c
https://git.kernel.org/stable/c/eca9bd215d2233de79d930fa97aefbce03247a98
https://lore.kernel.org/linux-cve-announce/2024082226-CVE-2022-48940-da55@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-48940
https://www.cve.org/CVERecord?id=CVE-2022-48940

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		CWE-119
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2024082226-CVE-2022-48940-da55@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-48940 https://www.cve.org/CVERecord?id=CVE-2022-48940
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to incorrect copy_map_value When both bpf_spin_lock and bpf_timer are present in a BPF map value, copy_map_value needs to skirt both objects when copying a value into and out of the map. However, the current code does not set both s_off and t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock is placed in map value with bpf_timer, as bpf_map_update_elem call will be able to overwrite the other timer object. When the issue is not fixed, an overwriting can produce the following splat: [root@(none) bpf]# ./test_progs -t timer_crash [ 15.930339] bpf_testmod: loading out-of-tree module taints kernel. [ 16.037849] ================================================================== [ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278 [ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014 [ 16.040485] Call Trace: [ 16.040645] <TASK> [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042328] ? memcpy+0x39/0x60 [ 16.042552] ? pv_hash+0xd0/0xd0 [ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [ 16.043608] ? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40 [ 16.046001] ? mark_held_locks+0x24/0x90 [ 16.046287] ? asm_exc_page_fault+0x1e/0x30 [ 16.046569] ? asm_exc_page_fault+0x8/0x30 [ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100 [ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 16.047405] RIP: 0033:0x7f9e4831718d [ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608] </TASK> [ 16.051762] ==================================================================
Title		bpf: Fix crash due to incorrect copy_map_value
References		https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322 https://git.kernel.org/stable/c/a8abb0c3dc1e28454851a00f8b7333d9695d566c https://git.kernel.org/stable/c/eca9bd215d2233de79d930fa97aefbce03247a98

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48940", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-22T01:27:53.623Z", "datePublished": "2024-08-22T03:31:35.844Z", "dateUpdated": "2024-09-12T17:32:59.231Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-22T03:31:35.844Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to incorrect copy_map_value\n\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\n\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] <TASK>\n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] </TASK>\n[ 16.051762] =================================================================="}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/bpf.h"], "versions": [{"version": "68134668c17f", "lessThan": "719d1c2524c8", "status": "affected", "versionType": "git"}, {"version": "68134668c17f", "lessThan": "eca9bd215d22", "status": "affected", "versionType": "git"}, {"version": "68134668c17f", "lessThan": "a8abb0c3dc1e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/bpf.h"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.26", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.16.12", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322"}, {"url": "https://git.kernel.org/stable/c/eca9bd215d2233de79d930fa97aefbce03247a98"}, {"url": "https://git.kernel.org/stable/c/a8abb0c3dc1e28454851a00f8b7333d9695d566c"}], "title": "bpf: Fix crash due to incorrect copy_map_value", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:32:21.126516Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:32:59.231Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:32:21.126516Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:12.597Z"}}], "cna": {"title": "bpf: Fix crash due to incorrect copy_map_value", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "68134668c17f", "lessThan": "719d1c2524c8", "versionType": "git"}, {"status": "affected", "version": "68134668c17f", "lessThan": "eca9bd215d22", "versionType": "git"}, {"status": "affected", "version": "68134668c17f", "lessThan": "a8abb0c3dc1e", "versionType": "git"}], "programFiles": ["include/linux/bpf.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.26", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.12", "versionType": "custom", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/linux/bpf.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322"}, {"url": "https://git.kernel.org/stable/c/eca9bd215d2233de79d930fa97aefbce03247a98"}, {"url": "https://git.kernel.org/stable/c/a8abb0c3dc1e28454851a00f8b7333d9695d566c"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to incorrect copy_map_value\n\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\n\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] <TASK>\n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] </TASK>\n[ 16.051762] =================================================================="}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-22T03:31:35.844Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48940", "state": "PUBLISHED", "dateUpdated": "2024-09-12T17:32:59.231Z", "dateReserved": "2024-08-22T01:27:53.623Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-22T03:31:35.844Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD0395FB-2D21-4970-B193-86285F5C505E", "versionEndExcluding": "5.15.26", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C76BAB21-7F23-4AD8-A25F-CA7B262A2698", "versionEndExcluding": "5.16.12", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to incorrect copy_map_value\n\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\n\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] <TASK>\n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] </TASK>\n[ 16.051762] =================================================================="}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: soluciona el fallo debido a copy_map_value incorrecto Cuando tanto bpf_spin_lock como bpf_timer est\u00e1n presentes en un valor de mapa BPF, copy_map_value necesita eludir ambos objetos al copiar un valor dentro y fuera del mapa. Sin embargo, el c\u00f3digo actual no establece s_off y t_off en copy_map_value, lo que provoca un bloqueo cuando, por ejemplo, bpf_spin_lock se coloca en el valor del mapa con bpf_timer, ya que la llamada a bpf_map_update_elem podr\u00e1 sobrescribir el otro objeto de temporizador. Cuando el problema no se soluciona, una sobrescritura puede producir el siguiente s\u00edmbolo: [root@(none) bpf]# ./test_progs -t timer_crash [15.930339] bpf_testmod: cargando el n\u00facleo de contaminaci\u00f3n del m\u00f3dulo fuera del \u00e1rbol. [16.037849] ================================================= =================== [16.038458] ERROR: KASAN: acceso a memoria de usuario en __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.038944] Escritura de tama\u00f1o 8 en la direcci\u00f3n 0000000000043ec0 por tarea test_progs /325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Contaminado: G OE 5.16.0+ #278 [ 16.039983] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0- 1 01/04/2014 [ 16.040485] Seguimiento de llamadas: [ 16.040645] [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.042328] ? memcpy+0x39/0x60 [16.042552]? pv_hash+0xd0/0xd0 [16.042785]? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [16.043608]? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] 7838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [16.045670]? irqentry_exit_to_user_mode+0xa/0x40 [16.046001]? mark_held_locks+0x24/0x90 [16.046287]? asm_exc_page_fault+0x1e/0x30 [16.046569]? asm_exc_page_fault+0x8/0x30 [16.046851]? lockdep_hardirqs_on+0x7e/0x100 [16.047137] Entry_SYSCALL_64_after_hwframe+0x44/0xae [16.047405] RIP: 0033:0x7f9e4831718d [16.047602] C\u00f3digo: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] : 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608 ] [ 16.051762] ========================= ============================================"}], "id": "CVE-2022-48940", "lastModified": "2024-08-22T18:37:46.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-22T04:15:17.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a8abb0c3dc1e28454851a00f8b7333d9695d566c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eca9bd215d2233de79d930fa97aefbce03247a98"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Fix crash due to incorrect copy_map_value", "id": "2307196", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307196"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-119", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix crash due to incorrect copy_map_value\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] <TASK>\n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] </TASK>\n[ 16.051762] =================================================================="], "name": "CVE-2022-48940", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48940\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48940\nhttps://lore.kernel.org/linux-cve-announce/2024082226-CVE-2022-48940-da55@gregkh/T"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object