CVE-2022-49341: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Clear prog->jited_len along prog->jited syzbot reported an illegal copy_to_user() attempt from bpf_prog_get_info_by_fd() [1] There was no repro yet on this bug, but I think that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") is exposing a prior bug in bpf arm64. bpf_prog_get_info_by_fd() looks at prog->jited_len to determine if the JIT image can be copied out to user space. My theory is that syzbot managed to get a prog where prog->jited_len has been set to 43, while prog->bpf_func has ben cleared. It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering this particular warning. I thought find_vma_area(NULL) would not find a vm_struct. As we do not hold vmap_area_lock spinlock, it might be possible that the found vm_struct was garbage. [1] usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! kernel BUG at mm/usercopy.c:101! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 Hardware name: linux,dummy-virt (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 sp : ffff80000b773a20 x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:89 check_heap_object mm/usercopy.c:186 [inline] __check_object_size mm/usercopy.c:252 [inline] __check_object_size+0x198/0x36c mm/usercopy.c:214 check_object_size include/linux/thread_info.h:199 [inline] check_copy_size include/linux/thread_info.h:235 [inline] copy_to_user include/linux/uaccess.h:159 [inline] bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
AI Analysis
Technical Summary
CVE-2022-49341 is a vulnerability identified in the Linux kernel, specifically affecting the Berkeley Packet Filter (BPF) subsystem on the ARM64 architecture. The issue arises from improper handling of the 'prog->jited_len' field within the BPF program structure during the execution of the bpf_prog_get_info_by_fd() system call. This function attempts to copy the Just-In-Time (JIT) compiled BPF program image to user space based on the 'prog->jited_len' value. The vulnerability was initially detected by syzbot, an automated kernel fuzzer, which reported an illegal copy_to_user() attempt indicating a potential kernel memory exposure or corruption. The root cause appears to be a race or state inconsistency where 'prog->jited_len' is set to a non-zero value (e.g., 43) while the corresponding JIT function pointer 'prog->bpf_func' has been cleared, leading to an invalid memory copy operation. This can cause the kernel to attempt copying from a NULL or invalid pointer to user space, triggering a kernel BUG and potentially leading to a denial of service (kernel panic) or exposing kernel memory contents. The vulnerability is tied to the ARM64-specific BPF JIT implementation and involves the interaction with kernel memory management and usercopy safety checks. Although no public exploit or reproduction has been reported yet, the nature of the bug suggests it could be triggered by malicious or malformed BPF programs, which are commonly used for advanced networking, tracing, and security purposes. The issue was addressed by clearing the 'prog->jited_len' field appropriately to prevent stale or inconsistent state leading to unsafe memory operations. This vulnerability highlights the complexity and risk associated with kernel JIT compilation and user-space interaction in the BPF subsystem on ARM64 Linux kernels.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels on ARM64 architectures, which are increasingly common in cloud environments, edge computing, and IoT devices. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services. In worst-case scenarios, if an attacker can leverage this flaw to read kernel memory, it may lead to information disclosure, potentially exposing sensitive data or kernel pointers useful for further privilege escalation attacks. Organizations relying on BPF for network monitoring, security enforcement, or performance tracing could be particularly affected, as malicious actors might craft BPF programs to trigger this vulnerability. The impact is heightened in multi-tenant environments such as cloud providers or shared infrastructure where untrusted users can load BPF programs. Given the lack of known exploits, the immediate threat level is moderate, but the potential for future exploitation exists. European sectors with critical infrastructure, telecommunications, and cloud services that utilize ARM64 Linux systems should be vigilant. Additionally, embedded systems and industrial control systems using ARM64 Linux kernels could face operational disruptions if exploited.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49341, ensuring the ARM64 BPF subsystem is updated to clear 'prog->jited_len' correctly. 2) Restrict the ability to load or execute BPF programs to trusted users only, using Linux capabilities (e.g., CAP_BPF) and seccomp filters to limit exposure. 3) Monitor kernel logs for unusual copy_to_user() warnings or kernel BUG messages related to usercopy, which may indicate attempts to exploit this or similar vulnerabilities. 4) Employ kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to reduce the attack surface. 5) In environments where ARM64 Linux kernels are used in containers or virtual machines, enforce strict isolation and limit BPF usage to minimize risk. 6) Conduct regular security audits and vulnerability scans focusing on kernel versions and configurations to ensure compliance with security best practices. 7) Engage with hardware and software vendors to confirm that embedded or IoT devices running ARM64 Linux are updated or have mitigations applied.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Ireland, Italy
CVE-2022-49341: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Clear prog->jited_len along prog->jited syzbot reported an illegal copy_to_user() attempt from bpf_prog_get_info_by_fd() [1] There was no repro yet on this bug, but I think that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") is exposing a prior bug in bpf arm64. bpf_prog_get_info_by_fd() looks at prog->jited_len to determine if the JIT image can be copied out to user space. My theory is that syzbot managed to get a prog where prog->jited_len has been set to 43, while prog->bpf_func has ben cleared. It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering this particular warning. I thought find_vma_area(NULL) would not find a vm_struct. As we do not hold vmap_area_lock spinlock, it might be possible that the found vm_struct was garbage. [1] usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! kernel BUG at mm/usercopy.c:101! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 Hardware name: linux,dummy-virt (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 sp : ffff80000b773a20 x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:89 check_heap_object mm/usercopy.c:186 [inline] __check_object_size mm/usercopy.c:252 [inline] __check_object_size+0x198/0x36c mm/usercopy.c:214 check_object_size include/linux/thread_info.h:199 [inline] check_copy_size include/linux/thread_info.h:235 [inline] copy_to_user include/linux/uaccess.h:159 [inline] bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
AI-Powered Analysis
Technical Analysis
CVE-2022-49341 is a vulnerability identified in the Linux kernel, specifically affecting the Berkeley Packet Filter (BPF) subsystem on the ARM64 architecture. The issue arises from improper handling of the 'prog->jited_len' field within the BPF program structure during the execution of the bpf_prog_get_info_by_fd() system call. This function attempts to copy the Just-In-Time (JIT) compiled BPF program image to user space based on the 'prog->jited_len' value. The vulnerability was initially detected by syzbot, an automated kernel fuzzer, which reported an illegal copy_to_user() attempt indicating a potential kernel memory exposure or corruption. The root cause appears to be a race or state inconsistency where 'prog->jited_len' is set to a non-zero value (e.g., 43) while the corresponding JIT function pointer 'prog->bpf_func' has been cleared, leading to an invalid memory copy operation. This can cause the kernel to attempt copying from a NULL or invalid pointer to user space, triggering a kernel BUG and potentially leading to a denial of service (kernel panic) or exposing kernel memory contents. The vulnerability is tied to the ARM64-specific BPF JIT implementation and involves the interaction with kernel memory management and usercopy safety checks. Although no public exploit or reproduction has been reported yet, the nature of the bug suggests it could be triggered by malicious or malformed BPF programs, which are commonly used for advanced networking, tracing, and security purposes. The issue was addressed by clearing the 'prog->jited_len' field appropriately to prevent stale or inconsistent state leading to unsafe memory operations. This vulnerability highlights the complexity and risk associated with kernel JIT compilation and user-space interaction in the BPF subsystem on ARM64 Linux kernels.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels on ARM64 architectures, which are increasingly common in cloud environments, edge computing, and IoT devices. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services. In worst-case scenarios, if an attacker can leverage this flaw to read kernel memory, it may lead to information disclosure, potentially exposing sensitive data or kernel pointers useful for further privilege escalation attacks. Organizations relying on BPF for network monitoring, security enforcement, or performance tracing could be particularly affected, as malicious actors might craft BPF programs to trigger this vulnerability. The impact is heightened in multi-tenant environments such as cloud providers or shared infrastructure where untrusted users can load BPF programs. Given the lack of known exploits, the immediate threat level is moderate, but the potential for future exploitation exists. European sectors with critical infrastructure, telecommunications, and cloud services that utilize ARM64 Linux systems should be vigilant. Additionally, embedded systems and industrial control systems using ARM64 Linux kernels could face operational disruptions if exploited.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49341, ensuring the ARM64 BPF subsystem is updated to clear 'prog->jited_len' correctly. 2) Restrict the ability to load or execute BPF programs to trusted users only, using Linux capabilities (e.g., CAP_BPF) and seccomp filters to limit exposure. 3) Monitor kernel logs for unusual copy_to_user() warnings or kernel BUG messages related to usercopy, which may indicate attempts to exploit this or similar vulnerabilities. 4) Employ kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to reduce the attack surface. 5) In environments where ARM64 Linux kernels are used in containers or virtual machines, enforce strict isolation and limit BPF usage to minimize risk. 6) Conduct regular security audits and vulnerability scans focusing on kernel versions and configurations to ensure compliance with security best practices. 7) Engage with hardware and software vendors to confirm that embedded or IoT devices running ARM64 Linux are updated or have mitigations applied.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.541Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5702
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 6:09:37 AM
Last updated: 7/29/2025, 7:51:12 PM
Views: 14
Related Threats
CVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumCVE-2025-8828: OS Command Injection in Linksys RE6250
MediumCVE-2025-8827: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.