CVE-2022-49837

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49837
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49837.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49837
Downstream
Related
Published
2025-05-01T14:09:54Z
Modified
2025-10-13T22:17:08.276078Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
bpf: Fix memory leaks in __check_func_call
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory leaks in _checkfunc_call

kmemleak reports this issue:

unreferenced object 0xffff88817139d000 (size 2048): comm "testprogs", pid 33246, jiffies 4307381979 (age 45851.820s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000045f075f0>] kmalloctrace+0x27/0xa0 [<0000000098b7c90a>] _checkfunccall+0x316/0x1230 [<00000000b4c3c403>] checkhelpercall+0x172e/0x4700 [<00000000aa3875b7>] docheck+0x21d8/0x45e0 [<000000001147357b>] docheckcommon+0x767/0xaf0 [<00000000b5a595b4>] bpfcheck+0x43e3/0x5bc0 [<0000000011e391b1>] bpfprogload+0xf26/0x1940 [<0000000007f765c0>] _sysbpf+0xd2c/0x3650 [<00000000839815d6>] _x64sysbpf+0x75/0xc0 [<00000000946ee250>] dosyscall64+0x3b/0x90 [<0000000000506b7f>] entrySYSCALL64afterhwframe+0x63/0xcd

The root case here is: In function preparefuncexit(), the callee is not released in the abnormal scenario after "state->curframe--;". To fix, move "state->curframe--;" to the very bottom of the function, right when we free callee and reset frame[] pointer to NULL, as Andrii suggested.

In addition, function _checkfunccall() has a similar problem. In the abnormal scenario before "state->curframe++;", the callee also should be released by freefunc_state().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fd978bf7fd312581a7ca454a991f0ffb34c4204b
Fixed
d4944497827a3d14bc5a26dbcfb7433eb5a956c0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fd978bf7fd312581a7ca454a991f0ffb34c4204b
Fixed
83946d772e756734a900ef99dbe0aeda506adf37
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fd978bf7fd312581a7ca454a991f0ffb34c4204b
Fixed
eb86559a691cea5fa63e57a03ec3dc9c31e97955

Affected versions

v4.*

v4.19
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1-rc1
v6.1-rc2
v6.1-rc3

Database specific 

{
    "vanir_signatures": [
        {
            "target": {
                "function": "prepare_func_exit",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-0cc082c0",
            "deprecated": false,
            "digest": {
                "length": 1176.0,
                "function_hash": "188297220053834182253863127899973761391"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb86559a691cea5fa63e57a03ec3dc9c31e97955"
        },
        {
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-25247760",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "198888559158825559273704487103918259569",
                    "71179026944372562532721694825969965964",
                    "153100273676350872538387302952506698792",
                    "111398772219605569591774706636286750112",
                    "201768859871564643504014622802779389714",
                    "61318605400894410068973940403765409635",
                    "69708250920132672661064519053549824048",
                    "22591020599247189304726861734144172929",
                    "146768271325495802519104346009467271099",
                    "334020884404847435274214174098237390571",
                    "241267916452078491197658849421475249290",
                    "232490596694873434721092689220320323600",
                    "105616815507719300125239371070106723308",
                    "53579629468902761353420560664412072303",
                    "160300239059679054483312391336871468751",
                    "8750144334112259249574747374149575343",
                    "171804441324078647551963472024133375280",
                    "319627414764373660513893234959723065533",
                    "332823148888275548975366874669896350417",
                    "153883346597009859901786559341536881696"
                ]
            },
            "signature_type": "Line",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb86559a691cea5fa63e57a03ec3dc9c31e97955"
        },
        {
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-4d5d581c",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "198888559158825559273704487103918259569",
                    "71179026944372562532721694825969965964",
                    "153100273676350872538387302952506698792",
                    "111398772219605569591774706636286750112",
                    "201768859871564643504014622802779389714",
                    "61318605400894410068973940403765409635",
                    "69708250920132672661064519053549824048",
                    "22591020599247189304726861734144172929",
                    "146768271325495802519104346009467271099",
                    "334020884404847435274214174098237390571",
                    "241267916452078491197658849421475249290",
                    "232490596694873434721092689220320323600",
                    "105616815507719300125239371070106723308",
                    "53579629468902761353420560664412072303",
                    "326651447049434660512962910488280025425",
                    "43398512636898431800439488893548478299",
                    "171804441324078647551963472024133375280",
                    "319627414764373660513893234959723065533",
                    "332823148888275548975366874669896350417",
                    "153883346597009859901786559341536881696"
                ]
            },
            "signature_type": "Line",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83946d772e756734a900ef99dbe0aeda506adf37"
        },
        {
            "target": {
                "function": "prepare_func_exit",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-52ada497",
            "deprecated": false,
            "digest": {
                "length": 1155.0,
                "function_hash": "272252974701117569517311906309777204990"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d4944497827a3d14bc5a26dbcfb7433eb5a956c0"
        },
        {
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-64ff7926",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "198888559158825559273704487103918259569",
                    "71179026944372562532721694825969965964",
                    "153100273676350872538387302952506698792",
                    "111398772219605569591774706636286750112",
                    "201768859871564643504014622802779389714",
                    "61318605400894410068973940403765409635",
                    "69708250920132672661064519053549824048",
                    "67804201637205135786715908201618762667",
                    "283461213329161507051990804429777547648",
                    "334020884404847435274214174098237390571",
                    "241267916452078491197658849421475249290",
                    "232490596694873434721092689220320323600",
                    "105616815507719300125239371070106723308",
                    "53579629468902761353420560664412072303",
                    "326651447049434660512962910488280025425",
                    "43398512636898431800439488893548478299",
                    "1040836760672942811244095623808936706",
                    "319627414764373660513893234959723065533",
                    "332823148888275548975366874669896350417",
                    "153883346597009859901786559341536881696"
                ]
            },
            "signature_type": "Line",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d4944497827a3d14bc5a26dbcfb7433eb5a956c0"
        },
        {
            "target": {
                "function": "__check_func_call",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-b839d2c4",
            "deprecated": false,
            "digest": {
                "length": 2387.0,
                "function_hash": "41882388813172101977486574329109168667"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb86559a691cea5fa63e57a03ec3dc9c31e97955"
        },
        {
            "target": {
                "function": "__check_func_call",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-b9b90f01",
            "deprecated": false,
            "digest": {
                "length": 2387.0,
                "function_hash": "41882388813172101977486574329109168667"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83946d772e756734a900ef99dbe0aeda506adf37"
        },
        {
            "target": {
                "function": "prepare_func_exit",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-ccf50afb",
            "deprecated": false,
            "digest": {
                "length": 1169.0,
                "function_hash": "67234432624514369908960338650559698652"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83946d772e756734a900ef99dbe0aeda506adf37"
        },
        {
            "target": {
                "function": "__check_func_call",
                "file": "kernel/bpf/verifier.c"
            },
            "id": "CVE-2022-49837-e7518a7b",
            "deprecated": false,
            "digest": {
                "length": 2373.0,
                "function_hash": "304409669295167218962869456555177565375"
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d4944497827a3d14bc5a26dbcfb7433eb5a956c0"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.15.80
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.10