CVE-2022-50450 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/51deedc9b8680953437dfe359e5268120de10e30
https://git.kernel.org/stable/c/622ff59742fe7bf53c06a57332040fa0e08b8242
https://git.kernel.org/stable/c/854f8c61422053f71e3cf0c4abf757c8aa5c748d

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: libbpf: Use elf_getshdrnum() instead of e_shnum This commit replace e_shnum with the elf_getshdrnum() helper to fix two oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both reports are incorrectly marked as fixed and while still being reproducible in the latest libbpf. # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704 libbpf: loading object 'fuzz-object' from buffer libbpf: sec_cnt is 0 libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2 libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1 ================================================================= ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8 WRITE of size 4 at 0x6020000000c0 thread T0 SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24 #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16 #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20 ... The issue lie in libbpf's direct use of e_shnum field in ELF header as the section header count. Where as libelf implemented an extra logic that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the initial section header as the real section header count (part of ELF spec to accommodate situation where section header counter is larger than SHN_LORESERVE). The above inconsistency lead to libbpf writing into a zero-entry calloc area. So intead of using e_shnum directly, use the elf_getshdrnum() helper provided by libelf to retrieve the section header counter into sec_cnt.
Title		libbpf: Use elf_getshdrnum() instead of e_shnum
References		https://git.kernel.org/stable/c/51deedc9b8680953437dfe359e5268120de10e30 https://git.kernel.org/stable/c/622ff59742fe7bf53c06a57332040fa0e08b8242 https://git.kernel.org/stable/c/854f8c61422053f71e3cf0c4abf757c8aa5c748d

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50450", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-17T14:53:07.011Z", "datePublished": "2025-10-01T11:45:23.963Z", "dateUpdated": "2025-10-01T11:45:23.963Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-01T11:45:23.963Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Use elf_getshdrnum() instead of e_shnum\n\nThis commit replace e_shnum with the elf_getshdrnum() helper to fix two\noss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both\nreports are incorrectly marked as fixed and while still being\nreproducible in the latest libbpf.\n\n # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704\n libbpf: loading object 'fuzz-object' from buffer\n libbpf: sec_cnt is 0\n libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2\n libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1\n =================================================================\n ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8\n WRITE of size 4 at 0x6020000000c0 thread T0\n SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)\n #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24\n #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16\n #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20\n ...\n\nThe issue lie in libbpf's direct use of e_shnum field in ELF header as\nthe section header count. Where as libelf implemented an extra logic\nthat, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the\ninitial section header as the real section header count (part of ELF\nspec to accommodate situation where section header counter is larger\nthan SHN_LORESERVE).\n\nThe above inconsistency lead to libbpf writing into a zero-entry calloc\narea. So intead of using e_shnum directly, use the elf_getshdrnum()\nhelper provided by libelf to retrieve the section header counter into\nsec_cnt."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["tools/lib/bpf/libbpf.c"], "versions": [{"version": "25bbbd7a444b1624000389830d46ffdc5b809ee8", "lessThan": "854f8c61422053f71e3cf0c4abf757c8aa5c748d", "status": "affected", "versionType": "git"}, {"version": "25bbbd7a444b1624000389830d46ffdc5b809ee8", "lessThan": "622ff59742fe7bf53c06a57332040fa0e08b8242", "status": "affected", "versionType": "git"}, {"version": "25bbbd7a444b1624000389830d46ffdc5b809ee8", "lessThan": "51deedc9b8680953437dfe359e5268120de10e30", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["tools/lib/bpf/libbpf.c"], "versions": [{"version": "5.16", "status": "affected"}, {"version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.16", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.2", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/854f8c61422053f71e3cf0c4abf757c8aa5c748d"}, {"url": "https://git.kernel.org/stable/c/622ff59742fe7bf53c06a57332040fa0e08b8242"}, {"url": "https://git.kernel.org/stable/c/51deedc9b8680953437dfe359e5268120de10e30"}], "title": "libbpf: Use elf_getshdrnum() instead of e_shnum", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Use elf_getshdrnum() instead of e_shnum\n\nThis commit replace e_shnum with the elf_getshdrnum() helper to fix two\noss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both\nreports are incorrectly marked as fixed and while still being\nreproducible in the latest libbpf.\n\n # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704\n libbpf: loading object 'fuzz-object' from buffer\n libbpf: sec_cnt is 0\n libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2\n libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1\n =================================================================\n ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8\n WRITE of size 4 at 0x6020000000c0 thread T0\n SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)\n #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24\n #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16\n #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20\n ...\n\nThe issue lie in libbpf's direct use of e_shnum field in ELF header as\nthe section header count. Where as libelf implemented an extra logic\nthat, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the\ninitial section header as the real section header count (part of ELF\nspec to accommodate situation where section header counter is larger\nthan SHN_LORESERVE).\n\nThe above inconsistency lead to libbpf writing into a zero-entry calloc\narea. So intead of using e_shnum directly, use the elf_getshdrnum()\nhelper provided by libelf to retrieve the section header counter into\nsec_cnt."}], "id": "CVE-2022-50450", "lastModified": "2025-10-01T12:15:37.680", "metrics": {}, "published": "2025-10-01T12:15:37.680", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/51deedc9b8680953437dfe359e5268120de10e30"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/622ff59742fe7bf53c06a57332040fa0e08b8242"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/854f8c61422053f71e3cf0c4abf757c8aa5c748d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object