Linux Kernel BPF Reference State Management Vulnerability in Synchronous Callbacks

A vulnerability exists in the Linux kernel's handling of reference states during synchronous callback verification within the BPF (Berkeley Packet Filter) subsystem. The BPF verifier currently treats both synchronous and asynchronous callbacks as single execution events, which can lead to incorrect reference management. This issue is particularly problematic for BPF helpers that invoke callbacks multiple times, as the verifier fails to account for references released during these repeated calls, potentially causing reference leaks. The vulnerability arises because the verifier's analysis does not properly handle the nested execution frames created by callbacks, especially when references acquired by the caller are not correctly released before the callback exits. This flaw can be exploited by BPF programs that use certain map iteration helpers, leading to unintended reference state manipulations and leaks.

Impact

The vulnerability can cause reference state leaks in BPF programs, particularly those that use iteration helpers that call back multiple times. This can disrupt the expected reference management, potentially leading to resource mismanagement or exhaustion.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses a helper function which iterates and calls back multiple times, such as 'bpf_for_each_map_elem()'. During this process, the BPF verifier will incorrectly manage the reference states, treating the multiple calls as a single execution, which can result in unpaired reference acquisitions and releases, causing leaks.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.