{"id":"CVE-2022-49985","summary":"bpf: Don't use tnum_range on array range checking for poke descriptors","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don't use tnum_range on array range checking for poke descriptors\n\nHsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which\nis based on a customized syzkaller:\n\n  BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0\n  Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489\n  CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n  1.13.0-1ubuntu1.1 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x9c/0xc9\n   print_address_description.constprop.0+0x1f/0x1f0\n   ? bpf_int_jit_compile+0x1257/0x13f0\n   kasan_report.cold+0xeb/0x197\n   ? kvmalloc_node+0x170/0x200\n   ? bpf_int_jit_compile+0x1257/0x13f0\n   bpf_int_jit_compile+0x1257/0x13f0\n   ? arch_prepare_bpf_dispatcher+0xd0/0xd0\n   ? rcu_read_lock_sched_held+0x43/0x70\n   bpf_prog_select_runtime+0x3e8/0x640\n   ? bpf_obj_name_cpy+0x149/0x1b0\n   bpf_prog_load+0x102f/0x2220\n   ? __bpf_prog_put.constprop.0+0x220/0x220\n   ? find_held_lock+0x2c/0x110\n   ? __might_fault+0xd6/0x180\n   ? lock_downgrade+0x6e0/0x6e0\n   ? lock_is_held_type+0xa6/0x120\n   ? __might_fault+0x147/0x180\n   __sys_bpf+0x137b/0x6070\n   ? bpf_perf_link_attach+0x530/0x530\n   ? new_sync_read+0x600/0x600\n   ? __fget_files+0x255/0x450\n   ? lock_downgrade+0x6e0/0x6e0\n   ? fput+0x30/0x1a0\n   ? ksys_write+0x1a8/0x260\n   __x64_sys_bpf+0x7a/0xc0\n   ? syscall_enter_from_user_mode+0x21/0x70\n   do_syscall_64+0x3b/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  RIP: 0033:0x7f917c4e2c2d\n\nThe problem here is that a range of tnum_range(0, map-\u003emax_entries - 1) has\nlimited ability to represent the concrete tight range with the tnum as the\nset of resulting states from value + mask can result in a superset of the\nactual intended range, and as such a tnum_in(range, reg-\u003evar_off) check may\nyield true when it shouldn't, for example tnum_range(0, 2) would result in\n00XX -\u003e v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here\nrepresented by a less precise superset of {0, 1, 2, 3}. As the register is\nknown const scalar, really just use the concrete reg-\u003evar_off.value for the\nupper index check.","modified":"2026-04-03T13:14:43.603802Z","published":"2025-06-18T11:00:47.251Z","related":["ALSA-2025:15471","ALSA-2025:15472","SUSE-SU-2025:02264-1","SUSE-SU-2025:02308-1","SUSE-SU-2025:02320-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49985.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4f672112f8665102a5842c170be1713f8ff95919"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a36df92c7ff7ecde2fb362241d0ab024dddd0597"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a657182a5c5150cdfacb6640aad1d2712571a409"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8979807178434db8ceaa84dfcd44363e71e50bb"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49985.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49985"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b"},{"fixed":"e8979807178434db8ceaa84dfcd44363e71e50bb"},{"fixed":"4f672112f8665102a5842c170be1713f8ff95919"},{"fixed":"a36df92c7ff7ecde2fb362241d0ab024dddd0597"},{"fixed":"a657182a5c5150cdfacb6640aad1d2712571a409"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49985.json"}}],"schema_version":"1.7.5"}