Linux Kernel BPF Verifier Pointer Comparison Vulnerability Allowing Pointer Leaks

A vulnerability in the Linux kernel's BPF verifier allows for improper handling of pointer comparisons in networking BPF programs. This issue arises after changing the program's capabilities, leading to a failure in the BPF verifier that incorrectly flags valid pointer comparisons as prohibited. The vulnerability is present in the stable version 6.1.y of the Linux kernel.

Impact

The vulnerability causes the BPF verifier to incorrectly reject valid pointer comparisons, which can disrupt the execution of networking BPF programs that rely on such comparisons.

Reproduction

To reproduce this issue, create a networking BPF program and assign it the capabilities 'cap_net_admin' and 'cap_bpf'. The program should include a function that compares packet pointers, such as checking if a pointer to the IP header is within the bounds of the packet data. When this program is loaded, it will fail the BPF verifier with an error message indicating that the pointer comparison is prohibited.

Remediation

Users can apply the patch available in the Linux kernel stable repository to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel documentation.