CVE-2022-49873

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix wrong reg type conversion in release_reference()

Some helper functions will allocate memory. To avoid memory leaks, the verifier requires the eBPF program to release these memories by calling the corresponding helper functions.

When a resource is released, all pointer registers corresponding to the resource should be invalidated. The verifier use release_references() to do this job, by apply __markregunknown() to each relevant register.

It will give these registers the type of SCALARVALUE. A register that will contain a pointer value at runtime, but of type SCALARVALUE, which may allow the unprivileged user to get a kernel pointer by storing this register into a map.

Using _markregnotinit() while NOT allowptrleaks can mitigate this problem.