Linux Kernel BPF JIT Memory Copy Vulnerability on ARM64

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation for ARM64 architecture has been identified. The issue arises from an improper handling of the JIT (Just-In-Time) compilation length of BPF programs. Specifically, the vulnerability allows for an illegal attempt to copy kernel memory to user space, potentially leading to memory corruption or exposure of sensitive information. This issue was triggered by a BPF program that had a JIT length set to 43 bytes, while another related field had been cleared, creating a scenario where a copy operation could overrun the intended memory boundaries.

Impact

Exploitation of this vulnerability causes a kernel memory exposure attempt, detected as an illegal copy operation from vmalloc'd memory to user space, triggering a kernel bug and an internal error.

Reproduction

The vulnerability can be reproduced by executing a BPF program that manipulates the JIT compilation length and related fields, creating a condition where the JIT length is set to a value that allows an overrun during a copy operation to user space. This can be achieved using the 'bpf_prog_get_info_by_fd' syscall, which retrieves information about a BPF program, including its JIT compilation details. The 'syzbot' tool, a kernel fuzzer, has successfully triggered this vulnerability by exploiting the BPF JIT compilation process.