Linux Kernel BPF KTLS Panic Vulnerability in Sockmap Handling

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) programs can lead to a kernel panic. This issue arises in the TCP BPF send message function when using TLS (Transport Layer Security) sockets. The vulnerability occurs because the BPF program can inadvertently increase the size of the message iterator, creating a mismatch during the rollback process when an error condition is encountered. As a result, the message iterator can be reset incorrectly, leading to an out-of-bounds access and a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by sending a message over a TLS socket that is managed by a BPF program. The BPF program should be designed to push data into the message, increasing the size of the message iterator beyond its original length. When the BPF program then attempts to roll back the message iterator to a previous state, the mismatch between the increased size and the rolled-back iterator can cause an out-of-bounds access, triggering a kernel panic.