DEBIAN-CVE-2022-49840

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-49840
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49840.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-49840
Upstream
Published
2025-05-01T15:16:07Z
Modified
2025-09-25T23:28:20.530912Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: bpf, testrun: Fix alignment problem in bpfprogtestrunskb() We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skbsharedinfo's unaligned access. As seen below: BUG: KFENCE: use-after-free read in skbclone+0x23c/0x2a0 net/core/skbuff.c:1032 Use-after-free read at 0xffff6254fffac077 (in kfence-#213): _lseatomicadd arch/arm64/include/asm/atomiclse.h:26 [inline] archatomicadd arch/arm64/include/asm/atomic.h:28 [inline] archatomicinc include/linux/atomic-arch-fallback.h:270 [inline] atomicinc include/asm-generic/atomic-instrumented.h:241 [inline] _skbclone+0x23c/0x2a0 net/core/skbuff.c:1032 skbclone+0xf4/0x214 net/core/skbuff.c:1481 bpfcloneredirect net/core/filter.c:2433 [inline] bpfcloneredirect+0x78/0x1c0 net/core/filter.c:2420 bpfprogd3839dd9068ceb51+0x80/0x330 bpfdispatchernopfunc include/linux/bpf.h:728 [inline] bpftestrun+0x3c0/0x6c0 net/bpf/testrun.c:53 bpfprogtestrunskb+0x638/0xa7c net/bpf/testrun.c:594 bpfprogtestrun kernel/bpf/syscall.c:3148 [inline] _dosysbpf kernel/bpf/syscall.c:4441 [inline] _sesysbpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512 allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpftestinit.isra.0+0xac/0x290 net/bpf/testrun.c:191 bpfprogtestrunskb+0x11c/0xa7c net/bpf/testrun.c:512 bpfprogtestrun kernel/bpf/syscall.c:3148 [inline] _dosysbpf kernel/bpf/syscall.c:4441 [inline] _sesysbpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 _arm64sysbpf+0x50/0x60 kernel/bpf/syscall.c:4381 To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMPCACHEBYTES. So we make sure the struct skbsharedinfo is aligned to a cache line.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.158-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}