{"id":"CVE-2022-50069","summary":"BPF: Fix potential bad pointer dereference in bpf_sys_bpf()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBPF: Fix potential bad pointer dereference in bpf_sys_bpf()\n\nThe bpf_sys_bpf() helper function allows an eBPF program to load another\neBPF program from within the kernel. In this case the argument union\nbpf_attr pointer (as well as the insns and license pointers inside) is a\nkernel address instead of a userspace address (which is the case of a\nusual bpf() syscall). To make the memory copying process in the syscall\nwork in both cases, bpfptr_t was introduced to wrap around the pointer\nand distinguish its origin. Specifically, when copying memory contents\nfrom a bpfptr_t, a copy_from_user() is performed in case of a userspace\naddress and a memcpy() is performed for a kernel address.\n\nThis can lead to problems because the in-kernel pointer is never checked\nfor validity. The problem happens when an eBPF syscall program tries to\ncall bpf_sys_bpf() to load a program but provides a bad insns pointer --\nsay 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()\nwhich would then call bpf_prog_load() to load the program.\nbpf_prog_load() is responsible for copying the eBPF instructions to the\nnewly allocated memory for the program; it creates a kernel bpfptr_t for\ninsns and invokes copy_from_bpfptr(). Internally, all bpfptr_t\noperations are backed by the corresponding sockptr_t operations, which\nperforms direct memcpy() on kernel pointers for copy_from/strncpy_from\noperations. Therefore, the code is always happy to dereference the bad\npointer to trigger a un-handle-able page fault and in turn an oops.\nHowever, this is not supposed to happen because at that point the eBPF\nprogram is already verified and should not cause a memory error.\n\nSample KASAN trace:\n\n[   25.685056][  T228] ==================================================================\n[   25.685680][  T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30\n[   25.686210][  T228] Read of size 80 at addr 00000000deadbeef by task poc/228\n[   25.686732][  T228]\n[   25.686893][  T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7\n[   25.687375][  T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n[   25.687991][  T228] Call Trace:\n[   25.688223][  T228]  \u003cTASK\u003e\n[   25.688429][  T228]  dump_stack_lvl+0x73/0x9e\n[   25.688747][  T228]  print_report+0xea/0x200\n[   25.689061][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.689401][  T228]  ? _printk+0x54/0x6e\n[   25.689693][  T228]  ? _raw_spin_lock_irqsave+0x70/0xd0\n[   25.690071][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.690412][  T228]  kasan_report+0xb5/0xe0\n[   25.690716][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.691059][  T228]  kasan_check_range+0x2bd/0x2e0\n[   25.691405][  T228]  ? copy_from_bpfptr+0x21/0x30\n[   25.691734][  T228]  memcpy+0x25/0x60\n[   25.692000][  T228]  copy_from_bpfptr+0x21/0x30\n[   25.692328][  T228]  bpf_prog_load+0x604/0x9e0\n[   25.692653][  T228]  ? cap_capable+0xb4/0xe0\n[   25.692956][  T228]  ? security_capable+0x4f/0x70\n[   25.693324][  T228]  __sys_bpf+0x3af/0x580\n[   25.693635][  T228]  bpf_sys_bpf+0x45/0x240\n[   25.693937][  T228]  bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd\n[   25.694394][  T228]  bpf_prog_run_pin_on_cpu+0x2f/0xb0\n[   25.694756][  T228]  bpf_prog_test_run_syscall+0x146/0x1c0\n[   25.695144][  T228]  bpf_prog_test_run+0x172/0x190\n[   25.695487][  T228]  __sys_bpf+0x2c5/0x580\n[   25.695776][  T228]  __x64_sys_bpf+0x3a/0x50\n[   25.696084][  T228]  do_syscall_64+0x60/0x90\n[   25.696393][  T228]  ? fpregs_assert_state_consistent+0x50/0x60\n[   25.696815][  T228]  ? exit_to_user_mode_prepare+0x36/0xa0\n[   25.697202][  T228]  ? syscall_exit_to_user_mode+0x20/0x40\n[   25.697586][  T228]  ? do_syscall_64+0x6e/0x90\n[   25.697899][  T228]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[   25.698312][  T228] RIP: 0033:0x7f6d543fb759\n[   25.698624][  T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d \n---truncated---","modified":"2026-04-02T08:28:12.170763Z","published":"2025-06-18T11:02:14.440Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50069.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f6db7148ed7382b336c5827af33b5d9e992630e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/41fd6cc88aaf7058b9dfc9c7a09cc80f99c8c830"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e2dcac2f58f5a95ab092d1da237ffdc0da1832cf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50069.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50069"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"af2ac3e13e45752af03c8a933f9b6e18841b128b"},{"fixed":"41fd6cc88aaf7058b9dfc9c7a09cc80f99c8c830"},{"fixed":"1f6db7148ed7382b336c5827af33b5d9e992630e"},{"fixed":"e2dcac2f58f5a95ab092d1da237ffdc0da1832cf"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50069.json"}}],"schema_version":"1.7.5"}