CVE-2022-49341 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf, arm64: Clear prog->jited_len along prog->jited
syzbot reported an illegal copy_to_user() attempt from bpf_prog_get_info_by_fd() [1]
There was no repro yet on this bug, but I think that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") is exposing a prior bug in bpf arm64.
bpf_prog_get_info_by_fd() looks at prog->jited_len to determine if the JIT image can be copied out to user space.
My theory is that syzbot managed to get a prog where prog->jited_len has been set to 43, while prog->bpf_func has ben cleared.
It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering this particular warning.
I thought find_vma_area(NULL) would not find a vm_struct. As we do not hold vmap_area_lock spinlock, it might be possible that the found vm_struct was garbage.
[1]
usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! kernel BUG at mm/usercopy.c:101! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in: CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 Hardware name: linux,dummy-virt (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 sp : ffff80000b773a20 x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:89 check_heap_object mm/usercopy.c:186 [inline]
__check_object_size mm/usercopy.c:252 [inline]
__check_object_size+0x198/0x36c mm/usercopy.c:214 check_object_size include/linux/thread_info.h:199 [inline]
check_copy_size include/linux/thread_info.h:235 [inline]
copy_to_user include/linux/uaccess.h:159 [inline]
bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
__arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability described in CVE-2022-49341 affects the Linux kernel's BPF (Berkeley Packet Filter) subsystem on ARM64 architectures. This issue manifests as an illegal copy_to_user() operation within the bpf_prog_get_info_by_fd() function, which triggers a kernel memory exposure warning from the usercopy subsystem. The vulnerability was identified through syzbot, an automated fuzzer, but no direct reproduction has been confirmed. The root cause appears to stem from a race condition or memory consistency issue where prog->jited_len is set to a non-zero value while prog->bpf_func is cleared, leading to attempts to copy from invalid memory locations. The kernel's usercopy mechanism, specifically the vmalloc overrun detection introduced in commit 0aef499f3172, is exposing this pre-existing bug in the BPF arm64 implementation.
The technical flaw involves improper synchronization and memory management during BPF program information retrieval operations. When bpf_prog_get_info_by_fd() executes, it examines prog->jited_len to determine if the JIT (Just-In-Time) compiled program image can be copied to user space. However, in certain race conditions or memory corruption scenarios, the jited_len field may contain a valid size value while the actual program function pointer (bpf_func) has been cleared or invalidated. This creates a scenario where copy_to_user() attempts to copy from a NULL pointer or invalid memory region, triggering the usercopy subsystem's safety checks. The kernel's memory management subsystem detects this as an invalid memory access pattern, specifically identifying an attempt to access vmalloc memory at an offset that would expose kernel memory contents, which aligns with the usercopy.c:101 error location.
The operational impact of this vulnerability is significant for systems running Linux kernels with BPF support on ARM64 platforms. Attackers could potentially exploit this condition to cause kernel oops or panic situations, leading to system instability or denial of service. The vulnerability affects the kernel's ability to properly handle BPF program information queries through the bpf syscall interface, particularly when dealing with JIT-compiled programs. While the exact attack vector remains unclear due to the lack of confirmed reproduction, the nature of the bug suggests it could be triggered through specific sequences of BPF program loading, JIT compilation, and subsequent information retrieval operations. The ARM64 architecture-specific nature means that systems using this architecture are particularly at risk, though the underlying memory management issue could potentially affect other architectures if similar race conditions exist.
Mitigation strategies for this vulnerability should focus on ensuring proper synchronization and memory consistency in BPF program handling operations. The fix implemented in the kernel involves clearing prog->jited_len alongside prog->jited to maintain consistency between these related fields during program state transitions. This prevents the scenario where jited_len indicates a valid JIT image size while the actual program function pointer is cleared. System administrators should ensure their Linux kernels are updated to versions containing this fix, particularly those running BPF-dependent applications on ARM64 systems. Additionally, monitoring for kernel oops or memory-related errors in systems using BPF functionality can help detect potential exploitation attempts. The vulnerability aligns with CWE-129, which describes improper validation of array indices, and could be categorized under ATT&CK technique T1059.006 for kernel-mode rootkits or T1547.001 for privilege escalation through kernel vulnerabilities. Organizations should also consider implementing kernel memory protection mechanisms and regular security audits of BPF-related functionality in their systems.