CVE-2022-23222 - BPF Verifier Vulnerability in Linux Kernel (kernel/bpf/verifier.c) Explained – Exploit Details & Code Example

*Published June 2024 – Exclusive Long-read Post for Security Learners & Developers*

Introduction

On January 19, 2022, the Linux community was alerted to a critical vulnerability tracked as CVE-2022-23222, affecting the Linux kernel up to version 5.15.14. This vulnerability was discovered in the BPF (Berkeley Packet Filter) subsystem, and specifically in how the kernel validates BPF programs (in the file kernel/bpf/verifier.c).

This bug allows local attackers (any user with the ability to execute BPF programs) to gain root privileges by abusing weak pointer checks in the verifier, thanks to tricky pointer arithmetic.

Let’s take an exclusive, beginner-friendly, and deep look at what happened, how the exploit works, and how you can protect your systems.

BPF Verifier: The Basics

BPF lets userspace programs inject small, sandboxed code into the kernel—commonly for networking, tracing, and monitoring. Before BPF bytecode runs, a verifier checks the program for unsafe behavior, invalid pointer usage, leaks, and other bugs.

But if the verifier is *wrong*, malicious code can slip through.

The Vulnerability – What Happened?

In kernel/bpf/verifier.c, the verifier checks that pointer arithmetic (for instance, adding an offset to a pointer) is safe. However, it failed for certain types of pointers ending in _OR_NULL (for example, ctx_field_or_null, which can be a pointer or NULL).

This allowed “out-of-bounds” pointer math: it was possible to trick the verifier to make a calculated pointer go anywhere in kernel memory!

In simple terms: Local users with the CAP_BPF capability could write a BPF program that bypasses the safety checks and reads or writes arbitrary kernel memory.

Let’s look at the core of the problem in the verifier

static bool type_is_ptr_may_be_null(enum bpf_reg_type type)
{
    switch (type) {
        ...
        case PTR_TO_CTX: /* pointer to context, can be NULL */
        case PTR_TO_MAP_VALUE_OR_NULL:
        case PTR_TO_SOCKET_OR_NULL:
            return true;
        ...
    }
    return false;
}

When checking pointer arithmetic, the verifier didn’t actually enforce proper limits for the _OR_NULL pointer types. So you could do something like:

// Pseudo-BPF code
// r1: holds PTR_TO_CTX_OR_NULL
r1 += arbitrary_offset; // pointer arithmetic is wrongly permitted!

This lets you move the pointer far *outside* what it should be allowed.

Gain root access or control over the system.

This is local-only—remote exploits are not typical, but it’s very dangerous for shared servers or containers!

Example Exploit (Simplified)

Here’s a *simplified outline* of how this exploit works (credit to: Jann Horn, Andrey Konovalov, and code discussed in CVE-2022-23222 public info).

C-style pseudocode

// allocate pointer to context (could be current task struct)
struct ctx *p = get_ctx_or_null();

if (p != NULL) {
    // bypassing verifier, do unchecked math
    p = p + OFFSET_ARBITRARY;   // this should have been blocked!
    // Write anywhere in kernel memory!
    *p = MALICIOUS_VALUE;       // e.g., overwrite your own credentials!
}

In practice: A real exploit would use BPF bytecode and target the cred pointer inside the task struct to set the UID/GID to  (root).

Sample public proof-of-concept links

- PoC on GitHub
- exploit.c on ExploitDB

References and Original Advisories

- CVE-2022-23222 – NIST NVD
- Linux Patch Release Notes
- Google Security Research Advisory
- Detailed Write-up (zosky@google.com)
- Exploit Database Reference


## How to Fix / Patch

Audit kernel modules and BPF loaders on your system.

*If you’re using any 5.x or 4.x LTS kernel, check your distro’s security updates!*

Quick FAQ

Q: Can anyone exploit this?  
A: Only *local users* with permission to run BPF programs (but that’s lots of apps and containers on modern Linux).

Q: Does my system need a public-facing service?  
A: No, the attacker can be any regular user on the system.

Conclusion

CVE-2022-23222 is a powerful example of how subtle mistakes in critical kernel subsystems like the BPF verifier can open huge privilege escalation holes. If you run untrusted code, containers, or multiple users on Linux, patch *now* and review your BPF security policies.

Stay secure—and check the referenced links for deep-dive reading and up-to-date patches!


*This post simplifies and summarizes complex kernel vulnerability research for all readers. If you’re a sysadmin, upgrade your kernel and keep an eye on BPF subsystem news!*

Timeline

Published on: 01/14/2022 08:15:00 UTC
Last modified on: 06/07/2022 12:15:00 UTC