Linux Kernel BPF Verifier Global Function Pointer Invalidation Vulnerability

A vulnerability in the Linux kernel's BPF verifier allows certain global functions to improperly handle packet data pointers, potentially leading to unsafe memory access. This issue arises because the verifier fails to invalidate packet pointers when global sub-programs call specific helper functions that are supposed to change packet data. As a result, a crafted BPF program can manipulate packet data in a way that the verifier does not properly check, creating a risk of memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing a BPF program to manipulate packet data pointers without proper verification, potentially causing unsafe memory access or corruption.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses the 'skb_pull_data' function to pull packet data while bypassing the verifiers checks on global function calls. This can be done by crafting a BPF program that calls 'skb_pull_data' from a global sub-program, which will not properly invalidate the packet data pointers in the caller's state. After pulling the data, the program can safely write to the invalidated pointer, demonstrating the vulnerability.