{"id":"CVE-2022-50862","summary":"bpf: prevent decl_tag from being referenced in func_proto","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: prevent decl_tag from being referenced in func_proto\n\nSyzkaller was able to hit the following issue:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946\nbtf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nModules linked in:\nCPU: 0 PID: 3609 Comm: syz-executor361 Not tainted\n6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 09/22/2022\nRIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nCode: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91\ne4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff \u003c0f\u003e 0b 45\n31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44\nRSP: 0018:ffffc90003cefb40 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005\nRBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e\nR10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011\nFS:  000055555641b300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n btf_func_proto_check kernel/bpf/btf.c:4447 [inline]\n btf_check_all_types kernel/bpf/btf.c:4723 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]\n btf_parse kernel/bpf/btf.c:5026 [inline]\n btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892\n bpf_btf_load kernel/bpf/syscall.c:4324 [inline]\n __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010\n __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f0fbae41c69\nCode: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69\nRDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012\nRBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nLooks like it tries to create a func_proto which return type is\ndecl_tag. For the details, see Martin's spot on analysis in [0].\n\n0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c","modified":"2026-04-02T08:28:47.919258Z","published":"2025-12-30T12:15:35.177Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50862.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50862.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50862"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bd16dee66ae4de3f1726c69ac901d2b7a53b0c86"},{"fixed":"e9dbb4c539d058852b76937dcd7347d3f38054f2"},{"fixed":"ea68376c8bed5cd156900852aada20c3a0874d17"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50862.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50862.json"}}],"schema_version":"1.7.5"}