Linux Kernel BPF Memory Allocator Vulnerability Leading to Denial-of-Service

A vulnerability in the Linux kernel's BPF memory allocator can cause a denial-of-service condition. When an element is freed, it may be immediately reused, particularly in hash table maps. This reuse can reinitialize special fields in the map value, such as the BPF spin lock, while the lookup procedure may still access these fields, potentially leading to a hard lockup. This issue has been observed in Linux kernel versions 6.1.0 and later.

Impact

Exploitation of this vulnerability can lead to a hard lockup, causing the system to become unresponsive.

Reproduction

The vulnerability can be reproduced by using a non-preallocated hash table in the BPF memory allocator. When an element is freed, it can be immediately reused, which reinitializes special fields in the map value. If these fields are accessed during a lookup procedure, it can lead to a hard lockup. This behavior can be observed by running a BPF program that interacts with the hash table map, such as one that uses the BPF spin lock, which will trigger the hard lockup condition.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Stable Tree.