Linux Kernel BPF Trace WARN() Handling Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) tracing mechanism has been addressed. This issue, reported by syzkaller, involved a warning triggered in the 'get_bpf_raw_tp_regs' function within the BPF trace handling code. The warning was caused by a tracepoint, 'trace_mmap_lock_acquire_returned', leading to nested calls that the current implementation did not handle properly. This vulnerability was present in version 6.15.0-rc5.

Impact

Exploitation of this vulnerability could lead to unintended WARN() messages being generated, indicating a potential issue with how BPF tracepoints are managed, particularly in relation to nested calls.

Reproduction

The vulnerability can be reproduced by using the syzkaller fuzzing tool, which will execute a sequence of operations that trigger the BPF tracepoint 'trace_mmap_lock_acquire_returned'. This will cause the 'get_bpf_raw_tp_regs' function to be called, generating a WARN() message due to the nested call handling issue.

Remediation

Users can update to the latest stable version of the Linux kernel where this vulnerability has been fixed.