CVE-2022-48755 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
Johan reported the below crash with test_bpf on ppc64 e5500:
test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Oops: Exception in kernel mode, sig: 4 [#1]
BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500 Modules linked in: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty) MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK: 0 NIP [8000000000061c3c] 0x8000000000061c3c
LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]
Call Trace: .__run_one+0x60/0x17c [test_bpf] (unreliable)
.test_bpf_init+0x6a8/0xdc8 [test_bpf]
.do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupt: c00 at 0x101d0acc ---[ end trace 47b2bf19090bb3d0 ]---
Illegal instruction
The illegal instruction turned out to be 'ldbrx' emitted for BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of
the same and implement an alternative approach for older processors.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/07/2025
The vulnerability described in CVE-2022-48755 represents a critical compatibility issue within the Linux kernel's powerpc64 architecture implementation, specifically affecting the Berkeley Packet Filter (BPF) subsystem. This flaw manifests when the kernel attempts to execute the 'ldbrx' instruction on processors that do not support the Instruction Set Architecture (ISA) version 2.06, leading to immediate system crashes and kernel oops conditions. The issue was identified through testing with the test_bpf module on e5500 processors, which are based on older ISA versions that lack support for the 'ldbrx' instruction. The crash occurs during kernel execution when BPF programs attempt to perform byte-order conversions using the 'ldbrx' instruction, which is fundamentally incompatible with older processor architectures.
The technical root cause stems from the kernel's BPF JIT compiler generating machine code that assumes all target powerpc64 processors support the 'ldbrx' instruction, which was introduced in ISA v2.06. This instruction performs a load doubleword big-endian with indexed addressing, a feature not available on older processors such as those based on the e500 architecture. When the kernel's BPF implementation encounters a BPF instruction that requires byte-order conversion, it generates code containing 'ldbrx' instructions without first checking processor compatibility. This results in illegal instruction exceptions that trigger kernel oops conditions and system crashes. The vulnerability directly relates to CWE-119 Improper Access to Memory and CWE-787 Out-of-bounds Write, as the kernel fails to properly validate instruction set compatibility before code generation.
The operational impact of this vulnerability is severe, particularly for embedded systems and older server hardware running powerpc64 architectures. Systems using e5500 processors or other older powerpc64 chips that lack ISA v2.06 support will experience immediate kernel panics and system instability when BPF programs are executed. This affects network filtering, packet analysis, and security monitoring applications that rely on BPF functionality. The vulnerability is especially concerning in production environments where legacy hardware remains in use, as it can cause unexpected system downtime and service interruptions. The crash occurs at kernel level with SIGSEGV signals and specific memory addresses indicating the illegal instruction execution point, making it difficult to recover without system reboot.
Mitigation strategies for this vulnerability involve implementing proper processor compatibility checking within the BPF JIT compiler before generating code containing 'ldbrx' instructions. The solution requires conditional code generation that detects the target processor's ISA version and selects appropriate alternative instructions for older processors. This approach aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: Python, where system-level compatibility checks prevent execution of unsupported instruction sets. System administrators should ensure that BPF programs are compiled with appropriate target architecture flags, and kernel updates should include the fix that guards against 'ldbrx' usage on incompatible processors. Additionally, organizations should consider maintaining separate BPF compilation paths for different processor generations or implementing runtime detection mechanisms that identify processor capabilities before executing BPF code. The fix ensures that older processors use alternative byte-order conversion methods while maintaining performance for newer hardware that supports the advanced instruction set.