CVE-2022-49548

CVE-2022-49548 is a vulnerability in the Linux kernel's BPF subsystem, specifically within the bpf_trampoline_get_progs() function. The issue arises because the cnt value used in the 'cnt >= BPF_MAX_TRAMP_PROGS' check excludes BPF_TRAMP_MODIFY_RETURN BPF programs. As a result, the number of attached BPF_TRAMP_MODIFY_RETURN programs to a trampoline can exceed BPF_MAX_TRAMP_PROGS, causing an array overflow during the assignment '*progs++ = aux->prog'. The progs array in the bpf_tramp_progs struct is limited to holding at most BPF_MAX_TRAMP_PROGS programs. This flaw is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by attaching an excessive number of BPF_TRAMP_MODIFY_RETURN programs to a BPF trampoline. This triggers the miscounted check, leading to the array overflow in bpf_trampoline_get_progs(). Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (high confidentiality impact), modification of system state (high integrity impact), and denial of service or system crashes (high availability impact), all with low attack complexity and no user interaction required.

Mitigation is provided through patches in the Linux kernel stable trees. Relevant commits include 32c4559c61652f24c9fdd5440342196fe37453bc, 4f8897bcc20b9ae44758e0572538d741ab66f0dc, 7f845de2863334bed4f362e95853f5e7bc323737, a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d, and e36452d5da6325df7c10cffc60a9e68d21e2606d, available at git.kernel.org/stable. Security practitioners should update affected Linux kernels to versions incorporating these fixes to prevent exploitation.