Linux Kernel BPF Hash Table Error Propagation Vulnerability

A vulnerability in the Linux kernel's BPF hash table management can lead to out-of-bounds memory access or unintended exposure of kernel memory to userspace. This issue arises in the 'htab_map_lookup_and_delete_batch' function when 'htab_lock_bucket' returns 'EBUSY'. The current implementation skips to the next bucket without addressing the error, which can cause silent data loss or, if the bucket count exceeds certain limits, memory access violations. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause out-of-bounds memory access, potentially leading to memory corruption or unauthorized access to kernel memory from userspace.

Reproduction

To reproduce this vulnerability, use a version of the Linux kernel that includes the affected BPF hash table management code. The vulnerability can be triggered by a BPF program that interacts with hash table maps, particularly one that locks buckets and encounters a 'EBUSY' status. The program should be designed to skip over the busy bucket, which will then expose the vulnerability by either accessing memory out of bounds or leaking kernel memory to userspace.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.