Linux Kernel BPF Test Run Alignment Vulnerability Leading to Use-After-Free Read

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) test run functionality has been identified, specifically in the handling of user-provided BPF program sizes. When odd-sized programs are submitted, it can cause unaligned access to the 'skb_shared_info' structure, leading to a use-after-free read error. This issue is particularly problematic on AArch64 architectures with KFENCE enabled, as it triggers an alignment fault. The vulnerability arises because the BPF program size is not properly aligned to cache line boundaries, allowing for unintentional access to freed memory.

Impact

Exploitation of this vulnerability causes a use-after-free read, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by submitting a BPF program with an odd size, such as 399 or 407 bytes, while KFENCE is enabled. This will cause an unaligned access to the 'skb_shared_info' structure, triggering an alignment fault on AArch64 systems.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Consult the Linux kernel changelog or your distribution's update guidelines for specific instructions.