Bug 2044578 (CVE-2022-0500) - CVE-2022-0500 kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges
Summary: CVE-2022-0500 kernel: Linux ebpf logic vulnerability leads to critical memory...
Keywords:
Status: NEW
Alias: CVE-2022-0500
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2045103 2045104 2045105 2045106 2056248
Blocks: 2044579 2050770
TreeView+ depends on / blocked
 
Reported: 2022-01-24 19:05 UTC by Pedro Sampaio
Modified: 2024-02-08 16:51 UTC (History)
46 users (show)

Fixed In Version: Linux kernel 5.17-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0724 0 None None None 2024-02-07 16:28:26 UTC

Description Pedro Sampaio 2022-01-24 19:05:54 UTC 
Linux ebpf logic vulnerability leads to critical memory read and write,An attacker with cap_bpf can gain root privileges or container escape.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=2040599
Comment 8 Alex 2022-02-20 13:50:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2056248]
Comment 10 Salvatore Bonaccorso 2022-02-21 07:32:03 UTC 
Hi Pedro

The information is quite scarce here to determine which kernel versions are affected by the issue. Can you point to the upstream fix in 5.17-rc1 which fixes the issue? I'm interested to correctly track this CVE in another downstream distribution.

Many thanks already!

Regards,
Salvatore
Comment 11 Pedro Sampaio 2022-02-21 13:06:46 UTC 
In reply to comment #10:
> Hi Pedro
> 
> The information is quite scarce here to determine which kernel versions are
> affected by the issue. Can you point to the upstream fix in 5.17-rc1 which
> fixes the issue? I'm interested to correctly track this CVE in another
> downstream distribution.
> 
> Many thanks already!
> 
> Regards,
> Salvatore

You can find the related commits here:

https://access.redhat.com/security/cve/CVE-2022-0500
Comment 12 Salvatore Bonaccorso 2022-02-21 13:14:23 UTC 
Hi Pedro,

(In reply to Pedro Sampaio from comment #11)
> In reply to comment #10:
> > Hi Pedro
> > 
> > The information is quite scarce here to determine which kernel versions are
> > affected by the issue. Can you point to the upstream fix in 5.17-rc1 which
> > fixes the issue? I'm interested to correctly track this CVE in another
> > downstream distribution.
> > 
> > Many thanks already!
> > 
> > Regards,
> > Salvatore
> 
> You can find the related commits here:
> 
> https://access.redhat.com/security/cve/CVE-2022-0500

Thank you!
Comment 13 Salvatore Bonaccorso 2022-02-21 13:18:35 UTC 
Pedro, I wonder this is not duplicating CVE-2022-23222 right because treating a different aspect?
Comment 14 Salvatore Bonaccorso 2022-02-24 08:21:50 UTC 
Given https://lore.kernel.org/stable/20220216225209.2196865-1-haoluo@google.com/ this would be separate from CVE-2022-23222 and the fix for this vulnerability is the there mentioned 7th patch ("bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM").
Comment 29 errata-xmlrpc 2024-02-07 16:28:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724
Note You need to log in before you can comment on or make changes to this bug.