Linux Kernel BPF Verifier Precision Propagation Vulnerability

A vulnerability in the Linux kernel's BPF verifier can lead to out-of-bounds memory access. This issue arises because the verifier does not properly handle precision markers for certain constant arguments, allowing invalid programs to pass verification and access memory beyond the intended limits. The vulnerability affects users with CAP_BPF, particularly when using static or global functions.

Impact

Exploitation of this vulnerability can result in unauthorized memory access, potentially leading to memory corruption or other unintended behavior.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses ARG_CONST_ALLOC_SIZE_OR_ZERO arguments. The program should include logic that relies on the BPF verifier's state management, particularly in how it handles precision markers. When the program is loaded with a user that has CAP_BPF, the verifier will incorrectly prune states, allowing the program to access memory out of bounds.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.