Kuee K1R0A

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to insufficient bounds propagation in the Linux kernel's bpf (Berkeley Packet Filter) functionality. Specifically, it concerns the `adjust scalar min max vals` function, where a corner case allows for leaking pointers by turning a pointer register into an unknown scalar. This can occur when the `tnum` becomes constant after a call to ` reg bound offset()`, but the register's bounds are not updated accordingly. The problem arises from the intersection with `var off` not being performed via ` update reg bounds()`, leading to a 'malformed' constant. To address this, the code has been refactored to introduce a `reg bounds sync()` helper, ensuring consistent bounds correction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to v5.16-rc5 **Description** The issue is related to the `check alu op()` function in `kernel/bpf/verifier.c`, which did not properly update bounds while handling the mov32 instruction. This allows local users to obtain potentially sensitive address information, also referred to as a "pointer leak." The vulnerability is associated with a buffer overflow in memory, which can be exploited to gain unauthorized access to protected information. **Recommendations** For Linux kernel versions prior to v5.16-rc5, consider disabling the `check alu op()` function as a temporary workaround until a patch is available. Restrict access to the `kernel/bpf/verifier.c` module to minimize the risk of exploitation. Avoid using the mov32 instruction in the affected kernel versions until the issue is resolved.