Linux Kernel Preemption Vulnerability in BPF Event Output

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation has been identified, specifically within the BPF event output function. This issue arises from the use of nesting protection without disabling preemption, which can lead to kernel crashes. The vulnerability allows tasks to be preempted by others while still within the nesting protection, potentially causing two tasks to access the same performance sample data buffer simultaneously. Such a scenario can result in critical errors, including null pointer dereferences and page faults, disrupting normal kernel operations.

Impact

Exploitation of this vulnerability can cause kernel crashes due to null pointer dereferences, leading to supervisor instruction fetch errors in kernel mode.

Reproduction

The vulnerability can be reproduced by executing BPF programs that use the 'bpf_event_output' function while preemption is enabled and migration is disabled. This can be done by running a BPF program in a cgroup context that prevents task migration, allowing the program to be preempted by another task, which can then interfere with the BPF event output processing.

Remediation

The vulnerability has been addressed by modifying the BPF event output function to disable preemption during its execution. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.