Linux Kernel BPF Preemption Vulnerability in Performance Event Output

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation has been addressed. The issue arose in the 'bpf_perf_event_output' function, which is responsible for outputting performance event samples. This function's nesting protection relies on preemption being disabled, a condition guaranteed for kprobes and tracepoints. However, 'bpf_perf_event_output' can also be invoked from uprobes context via the 'bpf_prog_run_array_sleepable' function. While this function disables migration, it leaves preemption enabled. As a result, a task can be preempted by another task within the nesting protection, potentially leading to two tasks accessing the same 'perf_sample_data' buffer. This situation can cause system crashes, such as a page fault error when the kernel attempts to execute a non-executable (NX) protected page, indicating a possible exploitation attempt.

Impact

Exploitation of this vulnerability could lead to kernel crashes due to improper handling of performance event data, with error messages suggesting an attempt to execute a non-executable page.

Reproduction

The vulnerability can be reproduced by calling 'bpf_perf_event_output' from uprobes context, while preemption is still enabled. This can be done by using the 'bpf_prog_run_array_sleepable' function, which disables migration but allows preemption, creating a scenario where tasks can interfere with each other during performance event processing.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.