Linux Kernel BPF Array Map 32-Bit Overflow Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation could lead to a 32-bit overflow when accessing elements of an ARRAY map, particularly if the map exceeds 4GB in size. This issue arises because both the index and element size are treated as 32-bit unsigned integers, which can cause overflow in pointer calculations. The vulnerability has been addressed by ensuring 64-bit multiplication is used consistently in relevant calculations. The fix involves extracting the multiplication logic into a separate helper function for consistent application, while also adding explicit 64-bit casts in certain areas. The original speculative-preventing formula, which utilizes an index mask trick, has been retained but with the added casts to prevent overflow.

Impact

Exploitation of this vulnerability could lead to incorrect memory access or manipulation, potentially causing memory corruption or other unintended behavior in the kernel.