CVE-2022-48940
📋 TL;DR
A memory corruption vulnerability in the Linux kernel's BPF subsystem allows local attackers to crash the kernel or potentially escalate privileges. The issue occurs when both bpf_spin_lock and bpf_timer objects are present in a BPF map value, causing incorrect memory copying that can overwrite kernel objects. This affects any Linux system using BPF programs with these specific map configurations.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel crash leading to denial of service, or arbitrary code execution in kernel context.
Likely Case
Kernel panic/crash causing system instability or denial of service, particularly when BPF programs with timer and spinlock map values are actively used.
If Mitigated
Limited impact if BPF functionality is restricted via kernel lockdown, capabilities, or BPF LSM restrictions.
🎯 Exploit Status
The test_progs utility in the kernel source demonstrates the crash. Exploitation requires crafting specific BPF programs and map configurations. Local access and appropriate capabilities are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in stable kernel versions via commits: 719d1c2524c89ada78c4c9202641c1d9e942a322, a8abb0c3dc1e28454851a00f8b7333d9695d566c, eca9bd215d2233de79d930fa97aefbce03247a98
Vendor Advisory: https://git.kernel.org/stable/c/719d1c2524c89ada78c4c9202641c1d9e942a322
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check distribution-specific security advisories for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict BPF capabilities
linuxLimit which users/processes can load BPF programs using kernel capabilities or BPF LSM.
sysctl -w kernel.unprivileged_bpf_disabled=1
capsh --drop=cap_bpf -- -c 'your_command'
Disable BPF JIT if not needed
linuxDisable BPF JIT compilation to reduce attack surface (though vulnerability still exists in interpreter).
echo 0 > /proc/sys/net/core/bpf_jit_enable
🧯 If You Can't Patch
- Implement strict capability controls to prevent unprivileged BPF program loading
- Monitor for suspicious BPF program loading activity and kernel panic/crash events
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if BPF timer support is present. Test with the provided test_progs -t timer_crash if kernel source is available.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or is newer than affected versions. Test that timer_crash test passes.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN reports of user-memory-access in __pv_queued_spin_lock_slowpath
- BPF program loading failures
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("KASAN" OR "BUG" OR "panic") AND ("bpf" OR "spin_lock" OR "timer")