Linux Kernel BPF Trampoline Page Fault Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem has been identified, which can lead to a kernel panic due to an incorrect memory page attribute. This issue arises when live patching and kretfunc (a kernel tracing function) are used together. In this scenario, the page attribute of the instruction memory image becomes read-only and executable after a BPF trampoline update. If the BPF trampoline linking process needs to be retried, the BPF_TRAMP_F_ORIG_STACK flag is set, causing the BPF trampoline update to be executed again. However, because the page attribute is still read-only, this re-execution attempts to read and write the instruction memory image, resulting in a page fault and a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, load a live patching sample module into the kernel. Then, use BPF trace to attach a kretfunc probe to a function, such as 'cmdline_proc_show'. This sequence will trigger the conditions that cause the page fault due to the incorrect page attribute, leading to a kernel panic.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.