CVE-2022-50167

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix potential 32-bit overflow when accessing ARRAY map element

If BPF array map is bigger than 4GB, element pointer calculation can overflow because both index and elem_size are u32. Fix this everywhere by forcing 64-bit multiplication. Extract this formula into separate small helper and use it consistently in various places.

Speculative-preventing formula utilizing index_mask trick is left as is, but explicit u64 casts are added in both places.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc85d69135a9175c50a823d04d62d932312d037b3 < 063e092534d4c6785228e5b1eb6e9329f66ccbe4affected
LinuxLinuxc85d69135a9175c50a823d04d62d932312d037b3 < 3c7256b880b3a5aa1895fd169a34aa4224a11862affected
LinuxLinuxc85d69135a9175c50a823d04d62d932312d037b3 < 87ac0d600943994444e24382a87aa19acc4cd3d4affected
LinuxLinux5.3affected
LinuxLinux0 < 5.3unaffected
LinuxLinux5.18.18 <= 5.18.*unaffected
LinuxLinux5.19.2 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References