CVE-2022-48940 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix crash due to incorrect copy_map_value

When both bpf_spin_lock and bpf_timer are present in a BPF map value, copy_map_value needs to skirt both objects when copying a value into and out of the map. However, the current code does not set both s_off and t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock is placed in map value with bpf_timer, as bpf_map_update_elem call will be able to overwrite the other timer object.

When the issue is not fixed, an overwriting can produce the following splat:

[root@(none) bpf]# ./test_progs -t timer_crash
[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.
[ 16.037849] ==================================================================
[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520
[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325
[ 16.039399]
[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278
[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014
[ 16.040485] Call Trace:
[ 16.040645]
[ 16.040805] dump_stack_lvl+0x59/0x73
[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520
[ 16.041427] kasan_report.cold+0x116/0x11b
[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520
[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520
[ 16.042328] ? memcpy+0x39/0x60
[ 16.042552] ? pv_hash+0xd0/0xd0
[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0
[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0
[ 16.043366] ? bpf_get_current_comm+0x50/0x50
[ 16.043608] ? jhash+0x11a/0x270
[ 16.043848] bpf_timer_cancel+0x34/0xe0
[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81
[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000
[ 16.044836] __x64_sys_nanosleep+0x5/0x140
[ 16.045119] do_syscall_64+0x59/0x80
[ 16.045377] ? lock_is_held_type+0xe4/0x140
[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40
[ 16.046001] ? mark_held_locks+0x24/0x90
[ 16.046287] ? asm_exc_page_fault+0x1e/0x30
[ 16.046569] ? asm_exc_page_fault+0x8/0x30
[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100
[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 16.047405] RIP: 0033:0x7f9e4831718d
[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48
[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023
[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d
[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0
[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0
[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30
[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 16.051608]
[ 16.051762] ==================================================================

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/23/2024

The vulnerability identified as CVE-2022-48940 resides within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically in the bpf_map_update_elem function's handling of map value copying operations. This flaw manifests when both bpf_spin_lock and bpf_timer objects are present within the same BPF map value structure, creating a critical race condition that can lead to kernel crashes and potential privilege escalation. The issue stems from an incomplete implementation of the copy_map_value function that fails to properly initialize both source and target offset parameters, s_off and t_off, during memory copy operations between BPF map elements.

The technical root cause of this vulnerability lies in the improper synchronization of memory operations when copying complex data structures containing embedded locking and timing primitives. When the kernel attempts to update a BPF map element that contains both a spin lock and a timer, the copy_map_value function does not correctly account for the memory layout of these objects, resulting in memory corruption during the copy process. This misalignment causes the kernel's memory management subsystem to overwrite critical data structures, particularly affecting the timer object's internal state and potentially corrupting the spin lock metadata. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, though it manifests as a memory corruption issue in kernel space rather than traditional buffer overflow conditions.

The operational impact of this vulnerability is severe, as it can lead to immediate system crashes through kernel address sanitizer (KASAN) detection mechanisms, as demonstrated in the test case output showing a KASAN user-memory-access violation. The crash occurs when the __pv_queued_spin_lock_slowpath function attempts to access memory at address 0x0000000000043ec0, indicating that the spin lock structure has been corrupted during the copy operation. This vulnerability affects systems running Linux kernel versions where the bpf subsystem is enabled and actively used, particularly in environments where eBPF programs interact with complex data structures containing synchronization primitives. The crash pattern suggests that the bpf_timer_cancel function is invoked during a corrupted timer state, which is a direct consequence of the improper memory copying that occurs when both lock and timer objects are present in the same map value.

Mitigation strategies for CVE-2022-48940 involve immediate kernel updates to versions that contain the patched bpf_map_update_elem implementation, where the copy_map_value function properly initializes both s_off and t_off parameters during memory copy operations. System administrators should prioritize patching affected systems, particularly those running kernel versions prior to the fix, and monitor for potential exploitation attempts targeting this vulnerability. The fix implements proper memory offset handling for complex BPF map value structures, ensuring that when both bpf_spin_lock and bpf_timer objects coexist in map values, the copy operations maintain the integrity of both synchronization primitives. Organizations should also consider implementing additional monitoring for unusual kernel crash patterns and ensure that eBPF programs are reviewed for improper use of synchronization primitives within map values. This vulnerability aligns with ATT&CK technique T1059.006 for kernel-mode rootkits and T1547.006 for kernel modules, as exploitation could enable persistence through modified kernel components. The patched implementation follows security best practices outlined in the Linux kernel security documentation and ensures proper memory management when dealing with complex data structures in kernel space.

Responsible

Linux

Reservation

08/22/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00207

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!