Linux Kernel BPF Verifier State Loop Entry Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier has been addressed. The issue was that the function 'copy_verifier_state()' did not properly copy the 'loop_entry' field of the BPF verifier state. This oversight could lead to the 'loop_entry' values from unrelated states contaminating the current state, 'env->cur_state'. Additionally, the 'env->stack' should not include any states with a 'loop_entry' that is not NULL, as these states are still pending verification, while 'loop_entry' is assigned to states that have reached a corresponding state. Consequently, 'env->cur_state->loop_entry' should always be NULL after 'pop_stack()'. This vulnerability could allow the verifier to accept programs that are not safe, as demonstrated by a self-test included in a subsequent commit.

Impact

Exploitation of this vulnerability could lead to the BPF verifier incorrectly accepting unsafe programs, potentially causing unintended behavior or security issues.