Linux Kernel BPF Trampoline BTI Error Vulnerability on ARM64

A vulnerability in the Linux kernel's BPF trampoline mechanism for ARM64 architecture has been addressed. When the BPF_TRAMP_F_CALL_ORIG flag is set, the trampoline uses the BLR instruction to return to the original call site and invoke a patched function. In a BTI-enabled kernel, this return is typically safe, as the call site is followed by a PACIASP instruction. However, if the call site lacks a PACIASP or BTI, a BTI exception occurs, leading to a kernel panic. This issue has been fixed by modifying the return mechanism to bypass the branch target check, ensuring proper function invocation without triggering exceptions.

Impact

Exploitation of this vulnerability caused a kernel panic due to an unhandled BTI exception, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by executing a BPF program with the BPF_TRAMP_F_CALL_ORIG flag set, in a BTI-enabled ARM64 Linux kernel environment. The BPF trampoline will incorrectly use the BLR instruction to return to a call site not followed by a PACIASP, triggering a BTI exception and causing a kernel panic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.