Bug 2121800 (CVE-2022-2905) - CVE-2022-2905 kernel: slab-out-of-bound read in bpf
Summary: CVE-2022-2905 kernel: slab-out-of-bound read in bpf
Keywords:
Status: NEW
Alias: CVE-2022-2905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2121801 2124624 2124625 2124626 2124627
Blocks: 2119814 2119817
TreeView+ depends on / blocked
 
Reported: 2022-08-26 16:43 UTC by Marian Rehak
Modified: 2023-11-16 07:54 UTC (History)
49 users (show)

Fixed In Version: Linux kernel 6.0-rc4
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2022-08-26 16:43:58 UTC 
A  bug in the x86 BPF JIT compiler. A bpf_tail_call with a key larger than the max_entries of the map can cause an out-of-bound access when the x86 JIT compiler tries to index bpf_array->ptr using the invalid key.

References:

https://www.openwall.com/lists/oss-security/2022/08/26/1
https://lore.kernel.org/bpf/984b37f9fdf7ac36831d2137415a4a915744c1b6.1661462653.git.daniel@iogearbox.net/
Comment 1 Marian Rehak 2022-08-26 16:44:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2121801]
Comment 4 Justin M. Forbes 2022-09-20 14:05:07 UTC 
This was fixed for Fedora with the 5.19.6 stable kernel updates.
Note You need to log in before you can comment on or make changes to this bug.