bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2022-49961
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2025-06-18 11:15:23 UTC
Updated2026-06-01 17:16:22 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO Precision markers need to be propagated whenever we have an ARG_CONST_* style argument, as the verifier cannot consider imprecise scalars to be equivalent for the purposes of states_equal check when such arguments refine the return value (in this case, set mem_size for PTR_TO_MEM). The resultant mem_size for the R0 is derived from the constant value, and if the verifier incorrectly prunes states considering them equivalent where such arguments exist (by seeing that both registers have reg->precise as false in regsafe), we can end up with invalid programs passing the verifier which can do access beyond what should have been the correct mem_size in that explored state. To show a concrete example of the problem: 0000000000000000 <prog>: 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: if r3 > r2 goto +18 <LBB5_5> 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: if w1 == 0 goto +1 <LBB5_3> 10: r2 = -1 0000000000000058 <LBB5_3>: 11: r1 = 0 ll 13: r3 = 0 14: call bpf_ringbuf_reserve 15: if r0 == 0 goto +7 <LBB5_5> 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: call bpf_ringbuf_submit 00000000000000b8 <LBB5_5>: 23: w0 = 0 24: exit For the first case, the single line execution's exploration will prune the search at insn 14 for the branch insn 9's second leg as it will be verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will always be 0 so at runtime we don't get error for being greater than UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just sees reg->precise as false for both r2 registers in both states, hence considers them equal for purposes of states_equal. If we propagated precise markers using the backtracking support, we would use the precise marking to then ensure that old r2 (UINT_MAX) was within the new r2 (1) and this would never be true, so the verification would rightfully fail. The end result is that the out of bounds access at instruction 19 would be permitted without this fix. Note that reg->precise is always set to true when user does not have CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static or global functions)), hence this is only a problem when precision marks need to be explicitly propagated (i.e. privileged users with CAP_BPF). A simplified test case has been included in the next patch to prevent future regressions.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000710000 probability, percentile 0.218870000 (date 2026-06-04)

Problem Types: CWE-125

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All
Operating System Linux Linux Kernel 6.0 rc1 All All
Operating System Linux Linux Kernel 6.0 rc2 All All
Operating System Linux Linux Kernel 6.0 rc3 All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 457f44363a8894135c85b7a9afd2bd8196db24ab 987b4c465ba28c662ca857be6c20fd2d96bc55f0 git Not specified
CNA Linux Linux affected 457f44363a8894135c85b7a9afd2bd8196db24ab 2459615a8d7f44ac81f0965bc094e55ccb254717 git Not specified
CNA Linux Linux affected 457f44363a8894135c85b7a9afd2bd8196db24ab 2fc31465c5373b5ca4edf2e5238558cb62902311 git Not specified
CNA Linux Linux affected 5.8 Not specified
CNA Linux Linux unaffected 5.8 semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 5.19.8 5.19.* semver Not specified
CNA Linux Linux unaffected 6.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/2459615a8d7f44ac81f0965bc094e55ccb254717 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/2fc31465c5373b5ca4edf2e5238558cb62902311 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/987b4c465ba28c662ca857be6c20fd2d96bc55f0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report