Linux Kernel BPF Poke Descriptor Array Range Check Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation allows for a slab-out-of-bounds memory access. This issue arises from improper array range checking for poke descriptors, which can be exploited by BPF programs. The vulnerability was reported by Hsin-Wei Hung, who triggered the issue using a customized version of the Syzkaller fuzzer. The flaw exists in the BPF verifier, specifically in the function that handles range checks for map entries. The problem stems from the use of a range representation that can inaccurately include values outside the intended limits, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using a BPF program that pokes into a program array with an index value that is incorrectly validated. This can be done by writing a fuzzer that targets the BPF verifier, such as a customized version of Syzkaller, which can generate BPF programs that trigger the flawed range checking logic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed.