bugzilla.redhat.com
Open in
urlscan Pro
2a02:26f0:1700:799::762
Public Scan
URL:
https://bugzilla.redhat.com/show_bug.cgi?id=2048259
Submission: On March 15 via api from SE — Scanned from DE
Submission: On March 15 via api from SE — Scanned from DE
Form analysis 5 forms found in the DOM
POST show_bug.cgi?id=2048259
<form action="show_bug.cgi?id=2048259" method="POST" class="mini_login " id="mini_login">
<input id="Bugzilla_login" required="" name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address">
<input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password" required="" placeholder="Password">
<input type="hidden" name="Bugzilla_login_token" value="">
<input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in">
</form>POST token.cgi
<form action="token.cgi" method="post" id="forgot_form" class="mini_forgot bz_default_hidden">
<label for="login">Login:</label>
<input name="loginname" size="20" id="login" required="" type="email" placeholder="Your Email Address">
<input id="forgot_button" value="Reset Password" type="submit">
<input type="hidden" name="a" value="reqpw">
<input type="hidden" id="token" name="token" value="1647334561-0PI1b9DqmHvpMQr1YrV3WCAg97wQ7tae_HxYgdpU88s">
<p>
<a href="#" onclick="return hide_forgot_form('')"><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> Hide Forgot</a>
</p>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_top" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_top");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_top" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_top">
</form>Name: changeform — POST process_bug.cgi
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
<input type="hidden" name="delta_ts" value="2022-03-09 14:46:55">
<input type="hidden" name="id" value="2048259">
<input type="hidden" name="token" value="1647334561-qyzV3l7LKVCi8Uz6OdxGg6LrKU71VjdnJgZg88AT15E">
<div class="bz_short_desc_container edit_form">
<a href="show_bug.cgi?id=2048259"><b>Bug 2048259</b></a> <span id="summary_container"> (<span id="alias_nonedit_display">CVE-2022-0433</span>) - <span
id="short_desc_nonedit_display"><a href="https://access.redhat.com/security/cve/CVE-2022-0433">CVE-2022-0433</a> kernel: missing initialization in bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS</span>
</span>
<div id="summary_input" class="bz_default_hidden"><span class="field_label " id="field_label_short_desc">
<a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=fields.html#short_desc">Summary:</a>
</span><span title="CVE-2022-0433 kernel: missing initialization in bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS">CVE-2022-0433 kernel: missing initialization in bloom filter map in kernel/bp... </span>
</div>
</div>
<script type="text/javascript">
hideEditableField('summary_container', 'summary_input', 'summary_edit_action', 'short_desc', 'CVE-2022-0433 kernel: missing initialization in bloom filter map in kernel\/bpf\/bloom_filter.c can lead to DoS');
</script>
<table class="edit_form">
<tbody>
<tr>
<td id="bz_show_bug_column_1" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="describekeywords.cgi">Keywords</a>:
</th>
<td>
<div class="keywords_select">
<select id="keywords" name="keywords" disabled="" multiple="multiple" tabindex="-1" class="selectized" style="display: none;">
<option value="Security" selected="selected">Security </option>
</select>
<div class="selectize-control multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js">
<div class="selectize-input items not-full has-options has-items disabled locked">
<div class="item"
title="Bugs with the "Security" keyword are those that relate to a security vulnerability with a Red Hat product or service. For further information on how to report a security vulnerability to Red Hat please see the "Security Contacts and Procedures" page at http://www.redhat.com/security/team/contact/"
data-value="Security">Security <a href="javascript:void(0)" class="remove" tabindex="-1" title="Remove">×</a></div><input type="select-multiple" autocomplete="off" tabindex="-1" id="keywords-selectized" disabled=""
style="width: 4px;">
</div>
<div class="selectize-dropdown multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
</div>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#bug_status">Status</a>:
</th>
<td id="bz_field_status">
<span id="static_bug_status">CLOSED NOTABUG </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_alias">
<a title="A short, unique name assigned to a bug in order to assist with looking it up and referring to it in other places in Bugzilla." class="field_help_link" href="page.cgi?id=fields.html#alias">Alias:</a>
</th>
<td>CVE-2022-0433 </td>
</tr>
<tr>
<th class="field_label " id="field_label_product">
<a title="Bugs are categorised into Products and Components. Select a Classification to narrow down this list." class="field_help_link" href="describecomponents.cgi">Product:</a>
</th>
<td class="field_value " id="field_container_product">Security Response </td>
</tr>
<tr class="bz_default_hidden">
<th class="field_label " id="field_label_classification">
<a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=fields.html#classification">Classification:</a>
</th>
<td class="field_value " id="field_container_classification">Other </td>
</tr>
<tr>
<th class="field_label " id="field_label_component">
<a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=Security Response">Component:</a>
</th>
<td>
<input type="hidden" id="component" name="component" value="vulnerability">vulnerability <span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this component"><i class="fas fa-th-list"></i></a>
<a href="enter_bug.cgi?component=vulnerability&product=Security%20Response&version=unspecified" title="Create a new bug for this component"><i class="fas fa-plus-circle"></i></a>
</span>
</td>
</tr>
<tr>
<th id="bz_rh_sub_component_input_th" class="field_label bz_default_hidden">
<label for="rh_sub_component-selectized" class="selectized">
<a class="field_help_link" href="page.cgi?id=fields.html#rh_sub_components" title="The sub component of a specific component">Sub Component:</a>
</label>
</th>
<td id="bz_rh_sub_component_input_td" class="bz_default_hidden">
<input type="hidden" name="defined_rh_sub_component" id="defined_rh_sub_component" value="0">
<select name="rh_sub_component" id="rh_sub_component" disabled="" onchange="assign_to_default();" placeholder="Type a sub-component name" tabindex="-1" class="selectized" style="display: none;">
<option value="" selected="selected"></option>
</select>
<div class="selectize-control single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields">
<div class="selectize-input items not-full disabled locked"><input type="select-one" autocomplete="off" tabindex="-1" id="rh_sub_component-selectized" placeholder="Type a sub-component name" disabled="" style="width: 172.391px;">
</div>
<div class="selectize-dropdown single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
<script>
$(document).ready(function() {
if (!$('#rh_sub_component').hasClass('selectized')) {
init_sub_components();
}
});
</script>
<span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this sub-component"><i class="fas fa-th-list"></i></a>
</span>
</td>
</tr>
<script>
function rh_check_sub_components() {
var ret = '';
var sub_comp_obj = document.getElementById('rh_sub_component');
if ($('#defined_rh_sub_component').val() == 1 && !$("#rh_sub_component").selectize()[0].selectize.getValue()) {
if (!ret) ret = sub_comp_obj;
_sub_comps_errorFor(sub_comp_obj, "You must specify the sub component");
}
return ret;
}
function _sub_comps_errorFor(field, error_text) {
var new_node = document.createElement('div');
YAHOO.util.Dom.addClass(new_node, 'validation_error_text');
new_node.innerHTML = error_text;
YAHOO.util.Dom.insertAfter(new_node, field);
YAHOO.util.Dom.addClass(field, 'validation_error_field');
new_node.scrollIntoView();
}
</script>
<tr>
<th class="field_label " id="field_label_version">
<a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=fields.html#version">Version:</a>
</th>
<td>
<span id="version">unspecified </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_rep_platform">
<a title="The hardware platform the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#rep_platform">Hardware:</a>
</th>
<td class="field_value">All </td>
</tr>
<tr>
<th class="field_label " id="field_label_op_sys">
<a title="The operating system the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#op_sys">OS:</a>
</th>
<td class="field_value"> Linux </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="i">
<a href="page.cgi?id=fields.html#priority">Priority:</a></label>
</th>
<td>medium </td>
</tr>
<tr>
<th class="field_label">
<label><a href="page.cgi?id=fields.html#bug_severity">Severity:</a>
</label>
</th>
<td> medium </td>
</tr>
<tr>
<th class="field_label " id="field_label_target_milestone">
<a title="The Target Milestone field is used to define when the engineer the bug is assigned to expects to fix it." class="field_help_link" href="page.cgi?id=fields.html#target_milestone">Target Milestone:</a>
</th>
<td>
<span id="target_milestone">--- </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_assigned_to">
<a title="The person in charge of resolving the bug." class="field_help_link" href="page.cgi?id=fields.html#assigned_to">Assignee:</a>
</th>
<td><span class="vcard redhat_user"><span class="fn">Red Hat Product Security</span>
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_qa_contact">
<a title="The person responsible for confirming this bug if it is unconfirmed, and for verifying the fix once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#qa_contact">QA Contact:</a>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_docs_contact">
<label for="docs_contact" accesskey="q">
<a title="The person responsible for documenting once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#docs_contact">Docs Contact:</a>
</label>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<script type="text/javascript">
assignToDefaultOnChange(['product', 'component'], 'security-response-team\x40redhat.com', '', '');
</script>
<tr>
<th class="field_label " id="field_label_bug_file_loc">
<a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=fields.html#bug_file_loc">URL:</a>
</th>
<td>
<span id="bz_url_input_area">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_status_whiteboard">
<a title="Each bug has a free-form single line text entry box for adding tags and status information." class="field_help_link" href="page.cgi?id=fields.html#status_whiteboard">Whiteboard:</a>
</th>
<td>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_dependson">
<a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=fields.html#dependson">Depends On:</a>
</th>
<td>
<span id="dependson_input_area">
</span>
<a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED NOTABUG - CVE-2022-0433 kernel: missing initialization in bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS [fedora-all]" href="show_bug.cgi?id=2048262">2048262</a>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_blocked">
<a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=fields.html#blocked">Blocks:</a>
</th>
<td>
<span id="blocked_input_area">
</span>
<a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=2039891">2039891</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=2048649">2048649</a>
</td>
</tr>
<tr>
<th class="field_label">TreeView+</th>
<td>
<a href="buglist.cgi?bug_id=2048259&bug_id_type=anddependson&format=tvp">
depends on</a> / <a href="buglist.cgi?bug_id=2048259&bug_id_type=andblocked&format=tvp&tvp_dir=blocked">
blocked</a>
</td>
<td></td>
</tr>
</tbody>
</table>
</td>
<td>
<div class="bz_column_spacer"> </div>
</td>
<td id="bz_show_bug_column_2" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#reporter">Reported:</a>
</th>
<td>2022-01-30 16:50 UTC by <span class="vcard redhat_user"><span class="fn">Alex</span>
</span>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#modified">Modified:</a>
</th>
<td>2022-03-09 14:46 UTC (<a href="show_activity.cgi?id=2048259">History</a>) </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="a">
<a href="page.cgi?id=fields.html#cclist">CC List:</a>
</label>
</th>
<td>47 users <span id="cc_edit_area_showhide_container"> (<a href="#" id="cc_edit_area_showhide">show</a>) </span>
<div id="cc_edit_area" class="bz_default_hidden">
<br>
<select id="cc" multiple="multiple" size="5">
<option value="acaringi">acaringi</option>
<option value="adscvr">adscvr</option>
<option value="airlied">airlied</option>
<option value="alciregi">alciregi</option>
<option value="bdettelb">bdettelb</option>
<option value="bhu">bhu</option>
<option value="brdeoliv">brdeoliv</option>
<option value="bskeggs">bskeggs</option>
<option value="chwhite">chwhite</option>
<option value="dhoward">dhoward</option>
<option value="dvlasenk">dvlasenk</option>
<option value="fhrbata">fhrbata</option>
<option value="fpacheco">fpacheco</option>
<option value="hdegoede">hdegoede</option>
<option value="hkrzesin">hkrzesin</option>
<option value="jarod">jarod</option>
<option value="jarodwilson">jarodwilson</option>
<option value="jburrell">jburrell</option>
<option value="jeremy">jeremy</option>
<option value="jfaracco">jfaracco</option>
<option value="jforbes">jforbes</option>
<option value="jglisse">jglisse</option>
<option value="jlelli">jlelli</option>
<option value="joe.lawrence">joe.lawrence</option>
<option value="jonathan">jonathan</option>
<option value="josef">josef</option>
<option value="jshortt">jshortt</option>
<option value="jstancek">jstancek</option>
<option value="jwboyer">jwboyer</option>
<option value="kcarcia">kcarcia</option>
<option value="kernel-maint">kernel-maint</option>
<option value="kernel-mgr">kernel-mgr</option>
<option value="lgoncalv">lgoncalv</option>
<option value="linville">linville</option>
<option value="lzampier">lzampier</option>
<option value="masami256">masami256</option>
<option value="mchehab">mchehab</option>
<option value="nmurray">nmurray</option>
<option value="ptalbert">ptalbert</option>
<option value="qzhao">qzhao</option>
<option value="rvrbovsk">rvrbovsk</option>
<option value="scweaver">scweaver</option>
<option value="steved">steved</option>
<option value="swood">swood</option>
<option value="vkumar">vkumar</option>
<option value="walters">walters</option>
<option value="williams">williams</option>
</select>
</div>
<script type="text/javascript">
hideEditableField('cc_edit_area_showhide_container', 'cc_edit_area', 'cc_edit_area_showhide', '', '');
</script>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_fixed_in">
<a title="The full package version. PGM uses to check if brew ...">Fixed In Version:</a>
</th>
<td class="field_value " id="field_container_cf_fixed_in" colspan="2">Linux kernel 5.17-rc1 </td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_doc_type">
<a title="Click the information icon to the right to see the description">Doc Type:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Type', BB_FIELDS['cf_doc_type'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_doc_type" colspan="2">If docs needed, set a value <span id="cf_doc_warn"></span></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_release_notes">
<a title="Click the information icon to the right to see the description">Doc Text:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Text', BB_FIELDS['cf_release_notes'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_release_notes" colspan="2">
<div class="uneditable_textarea">A NULL pointer dereference flaw was found in the Linux kernel’s BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. This flaw allows a local user to crash
the system.</div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_clone_of">
<a title="The bug listed here was the bug cloned to create thi...">Clone Of:</a>
</th>
<td class="field_value " id="field_container_cf_clone_of" colspan="2">
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_environment">
<a title="This field is used for unformatted text that helps t...">Environment:</a>
</th>
<td class="field_value " id="field_container_cf_environment" colspan="2">
<div class="uneditable_textarea"></div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_last_closed">
<a title="When this bug was last marked as closed. Used for st...">Last Closed:</a>
</th>
<td class="field_value " id="field_container_cf_last_closed" colspan="2">2022-01-31 14:01:16 UTC </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="3">
<hr id="bz_top_half_spacer">
</td>
</tr>
</tbody>
</table>
<table id="bz_big_form_parts">
<tbody>
<tr>
<td>
<script type="text/javascript">
<!--
function toggle_display(link) {
var table = document.getElementById("attachment_table");
var view_all = document.getElementById("view_all");
var hide_obsolete_url_parameter = "&hide_obsolete=1";
// Store current height for scrolling later
var originalHeight = table.offsetHeight;
var rows = YAHOO.util.Dom.getElementsByClassName('bz_tr_obsolete', 'tr', table);
for (var i = 0; i < rows.length; i++) {
bz_toggleClass(rows[i], 'bz_default_hidden');
}
if (YAHOO.util.Dom.hasClass(rows[0], 'bz_default_hidden')) {
link.innerHTML = "Show Obsolete";
view_all.href = view_all.href + hide_obsolete_url_parameter
} else {
link.innerHTML = "Hide Obsolete";
view_all.href = view_all.href.replace(hide_obsolete_url_parameter, "");
}
var newHeight = table.offsetHeight;
// This scrolling makes the window appear to not move at all.
window.scrollBy(0, newHeight - originalHeight);
return false;
}
//
-->
</script>
<br>
<table id="attachment_table">
<tbody>
<tr id="a0">
<th align="left"> Attachments </th>
<th colspan="2" align="right">
<a href="page.cgi?id=terms-conditions.html">(Terms of Use)</a>
</th>
</tr>
<tr class="bz_attach_footer">
<td colspan="3">
<a href="attachment.cgi?bugid=2048259&action=enter">Add an attachment</a> (proposed patch, testcase, etc.)
</td>
</tr>
</tbody>
</table>
<br>
</td>
<td class="groups">
</td>
</tr>
</tbody>
</table>
<div id="comments">
<script type="text/javascript">
<!--
/* Adds the reply text to the 'comment' textarea */
function replyToComment(id, real_id, name) {
var prefix = "(In reply to " + name + " from comment #" + id + ")\n";
var replytext = "";
/* pre id="comment_name_N" */
var text_elem = document.getElementById('comment_text_' + id);
var text = getText(text_elem);
replytext = prefix + wrapReplyText(text);
/* <textarea id="comment"> */
var textarea = document.getElementById('comment');
if (textarea.value != replytext) {
textarea.value += replytext;
}
textarea.focus();
}
//
-->
</script>
<!-- This auto-sizes the comments and positions the collapse/expand links
to the right. -->
<table class="bz_comment_table">
<tbody>
<tr>
<td>
<div id="c0" class="bz_comment bz_first_comment
">
<div class="bz_first_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=2048259#c0">Description</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Alex</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2022-01-30 16:50:51 UTC </span>
</div>
<pre class="bz_comment_text">The bug inside bloom filter.
Results in Null Pointer Dereference when map_get_next_key function inside BPF code being executed by local user.
This is new (fresh) bloom filter functionality of the eBPF that is actual starting from this commit:
<a href="https://lore.kernel.org/bpf/20210921210225.4095056-2-joannekoong@fb.com/">https://lore.kernel.org/bpf/20210921210225.4095056-2-joannekoong@fb.com/</a>
Reference to the patch:
<a href="https://lore.kernel.org/bpf/d5776f5d-3416-4e3b-8751-8a5a9e6a0d4d@iogearbox.net/T/">https://lore.kernel.org/bpf/d5776f5d-3416-4e3b-8751-8a5a9e6a0d4d@iogearbox.net/T/</a>
</pre>
</div>
<div id="c1" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=2048259#c1">Comment 1</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Alex</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2022-01-30 17:06:29 UTC </span>
</div>
<pre class="bz_comment_text">Created kernel tracking bugs for this issue:
Affects: fedora-all [<a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED NOTABUG - CVE-2022-0433 kernel: missing initialization in bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS [fedora-all]" href="show_bug.cgi?id=2048262">bug 2048262</a>]
</pre>
</div>
<div id="c3" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=2048259#c3">Comment 3</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user">juneau </span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2022-01-31 13:34:03 UTC </span>
</div>
<pre class="bz_comment_text">Services notaffected per kernel analysis.
</pre>
</div>
<div id="c5" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=2048259#c5">Comment 5</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Justin M. Forbes</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2022-01-31 22:53:46 UTC </span>
</div>
<pre class="bz_comment_text">This bug was introduced in 5.16 kernels and a fix was included in 5.16.3 upstream. It was never shipped as an update to stable Fedora users.
</pre>
</div>
<script>
$(document).ready(function() {
var mysel = document.getElementsByClassName('flag_type-415')[0];
var relnotes = document.getElementById('cf_release_notes');
if (mysel && relnotes && relnotes.value != '' && relnotes.value != cf_doc_type_text[document.getElementById('cf_doc_type').value] && mysel.options[mysel.selectedIndex].value != '+') document.getElementById('cf_doc_warn')
.innerHTML = '<div class="warning "><b>Warning: Doc Text is not yet verified as correct</b></div>';
});
</script>
</td>
<td>
</td>
</tr>
</tbody>
</table>
</div>
<hr>
<div id="add_comment" class="bz_section_additional_comments">
<table>
<tbody>
<tr>
<td>
<fieldset>
<legend>Note</legend> You need to <a href="show_bug.cgi?id=2048259&GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug.
</fieldset>
</td>
</tr>
</tbody>
</table>
</div>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_bottom" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_bottom");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_bottom">
</form>Text Content
Login
[x]
* Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
* Forgot Password
Login:
Hide Forgot
* Create an Account
Red Hat Bugzilla – Bug 2048259
*
[?]
*
* New
* * Simple Search
* Advanced Search
* My Links
* Browse
* Requests
* Reports
* Current State
* Search
* Tabular reports
* Graphical reports
* Duplicates
* Other Reports
* User Changes
* Plotly Reports
* Bug Status
* Bug Severity
* Non-Defaults
* | Product Dashboard
* Help
* Page Help!
* Bug Writing Guidelines
* What's new
* Browser Support Policy
* 5.0.4.rh68 Release notes
* FAQ
* Guides index
* User guide
* Web Services
* Contact
* Legal
Note: If your use of the APIs is failing with an error titled 'API access must
use the Authorization header' then you need to read the API Authentication
changes announcement
This site requires JavaScript to be enabled to function correctly, please enable
it.
*
*
*
*
*
*
Bug 2048259 (CVE-2022-0433) - CVE-2022-0433 kernel: missing initialization in
bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS
Summary: CVE-2022-0433 kernel: missing initialization in bloom filter map in
kernel/bp...
Keywords:
Security
Security ×
Status: CLOSED NOTABUG Alias: CVE-2022-0433 Product: Security Response
Classification: Other Component: vulnerability Sub Component:
Version: unspecified Hardware: All OS: Linux Priority: medium Severity: medium
Target Milestone: --- Assignee: Red Hat Product Security QA Contact: Docs
Contact: URL: Whiteboard: Depends On: 2048262 Blocks: 2039891 2048649 TreeView+
depends on / blocked
Reported: 2022-01-30 16:50 UTC by Alex Modified: 2022-03-09 14:46 UTC (History)
CC List: 47 users (show)
acaringi adscvr airlied alciregi bdettelb bhu brdeoliv bskeggs chwhite dhoward
dvlasenk fhrbata fpacheco hdegoede hkrzesin jarod jarodwilson jburrell jeremy
jfaracco jforbes jglisse jlelli joe.lawrence jonathan josef jshortt jstancek
jwboyer kcarcia kernel-maint kernel-mgr lgoncalv linville lzampier masami256
mchehab nmurray ptalbert qzhao rvrbovsk scweaver steved swood vkumar walters
williams
Fixed In Version: Linux kernel 5.17-rc1 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the Linux kernel’s BPF subsystem in
the way a user triggers the map_get_next_key function of the BPF bloom filter.
This flaw allows a local user to crash the system.
Clone Of: Environment:
Last Closed: 2022-01-31 14:01:16 UTC
--------------------------------------------------------------------------------
Attachments (Terms of Use) Add an attachment (proposed patch, testcase, etc.)
Description Alex 2022-01-30 16:50:51 UTC
The bug inside bloom filter.
Results in Null Pointer Dereference when map_get_next_key function inside BPF code being executed by local user.
This is new (fresh) bloom filter functionality of the eBPF that is actual starting from this commit:
https://lore.kernel.org/bpf/20210921210225.4095056-2-joannekoong@fb.com/
Reference to the patch:
https://lore.kernel.org/bpf/d5776f5d-3416-4e3b-8751-8a5a9e6a0d4d@iogearbox.net/T/
Comment 1 Alex 2022-01-30 17:06:29 UTC
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2048262]
Comment 3 juneau 2022-01-31 13:34:03 UTC
Services notaffected per kernel analysis.
Comment 5 Justin M. Forbes 2022-01-31 22:53:46 UTC
This bug was introduced in 5.16 kernels and a fix was included in 5.16.3 upstream. It was never shipped as an update to stable Fedora users.
--------------------------------------------------------------------------------
Note You need to log in before you can comment on or make changes to this bug.
--------------------------------------------------------------------------------
*
*
*
*
*
*
* *
[?]
Type a sub-component name