Linux Kernel BPF Reference Count Vulnerability Allows Use-After-Free

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation can lead to a use-after-free condition. This issue arises because the BPF function 'bpf_refcount_acquire' incorrectly assumes that a referenced node is always alive, particularly for non-owning references. The vulnerability is present in the BPF reference counting mechanism, where a node's reference count can be decremented to zero and the node freed, while the program still believes it has a valid reference. This flaw can be exploited by manipulating BPF's red-black tree operations and reference counting, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a program continues to use a pointer to a memory location that has already been freed. This can lead to memory corruption, allowing for arbitrary code execution or causing a kernel panic.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses non-owning references with the 'bpf_refcount_acquire' function. After attempting to add a node to a BPF red-black tree, the program can call 'bpf_refcount_acquire' on the node. If the tree operation fails, the node can be freed, but the reference count operation will incorrectly assume the node is still valid. This sequence can be automated with a BPF self-test program that mimics the flawed reference handling.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.