Linux Kernel BPF Cgroup Vulnerability Leading to Kernel BUG

A vulnerability in the Linux kernel's BPF cgroup handling has been identified, which can trigger a kernel BUG. This issue arises when BPF programs are attached to different cgroups and one program is detached, causing a failure in the memory allocation process. The kernel then attempts to purge effective programs, but a bug occurs due to the cgroup hierarchy management.

Impact

Exploitation of this vulnerability leads to a kernel BUG, causing a disruption in the kernel's operation. This type of bug can often be exploited to escalate privileges or cause a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, first attach a BPF program to a cgroup (cg2) and another program to a different cgroup (cg1). Ensure that the attachment types for both programs are set to NONE or OVERRIDE. Next, introduce a failure in the memory allocation process by writing a value to the '/proc/thread-self/fail-nth' file. After creating this failure condition, detach the program from cg1. This sequence of actions will trigger the kernel BUG.