Security tracker / CVE-2022-0500

CVE-2022-0500

Flaw in unrestricted eBPF usage by the BPF_BTF_LOAD

References

• Debian security tracker
• cve.org
• https://bugzilla.redhat.com/show_bug.cgi?id=2044578
• https://access.redhat.com/security/cve/CVE-2022-0500

Notes

 carnil> As of 2022-02-21 the RH bugzilla entry does not contain enough
 carnil> information to determine which commit(s) in 5.17-rc1 are meant
 carnil> to address the issue.
 carnil> Fixed as well in 5.16.11 for 5.16.y.
 carnil> Additionally we need to clarify the scope of CVE-2022-0500. The
 carnil> list of commits cover as well
 carnil> c25b2ae136039ffa820c26138ed4a5e5f3ab3841 which for older
 carnil> version addressed "bpf: Fix out of bounds access from invalid
 carnil> *_or_null type verification".
 carnil> https://bugzilla.redhat.com/show_bug.cgi?id=2044578#c13 is
 carnil> unaswered yet (as of 2022-02-23).
 carnil> https://lore.kernel.org/stable/20220216225209.2196865-1-haoluo@google.com/
 carnil> The fix for the specific CVE is patch 7/9 "bpf: Make
 carnil> per_cpu_ptr return rdonly PTR_TO_MEM".
 bwh> Commit 34d3a78c681 references several commits from 5.10 as
 bwh> being fixed, so branches based on 5.10 are affected and older
 bwh> branches are probably not.

Bugs

Status

Branch	Status
upstream	released (5.17-rc1) [d639b9d13a39cf15639cbe6e8b2c43eb60148a73, 48946bd6a5d695c50b34546864b79c1f910a33c1, 3c4807322660d4290ac9062c034aed6b87243861, c25b2ae136039ffa820c26138ed4a5e5f3ab3841, 20b2aff4bc15bda809f994761d5719827d66c0b4, cf9f2f8d62eca810afbd1ee6cc0800202b000e57, 34d3a78c681e8e7844b43d1a2f4671a04249c821]
6.18-upstream-stable
6.17-upstream-stable
6.12-upstream-stable
6.6-upstream-stable
6.1-upstream-stable	N/A "Fixed before branch point"
5.10-upstream-stable	needed
4.19-upstream-stable	N/A "Vulnerable code not present"
4.9-upstream-stable	N/A "Vulnerable code not present"
sid	released (5.16.10-1) [bugfix/all/bpf-introduce-composable-reg-ret-and-arg-types.patch, bugfix/all/bpf-replace-arg_xxx_or_null-with-arg_xxx-ptr_maybe_null.patch, bugfix/all/bpf-replace-ret_xxx_or_null-with-ret_xxx-ptr_maybe_null.patch, bugfix/all/bpf-replace-ptr_to_xxx_or_null-with-ptr_to_xxx-ptr_maybe_null.patch, bugfix/all/bpf-introduce-mem_rdonly-flag.patch, bugfix/all/bpf-convert-ptr_to_mem_or_null-to-composable-types.patch, bugfix/all/bpf-make-per_cpu_ptr-return-rdonly-ptr_to_mem.patch]
6.12-trixie-security
6.1-bookworm-security	N/A "Fixed before branch point"
5.10-bullseye-security	needed
4.19-buster-security	N/A "Vulnerable code not present"
4.9-stretch-security	N/A "Vulnerable code not present"