Linux Kernel BPF Format String Vulnerability in Bprintf-like Helpers

A vulnerability has been identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the formatted output helpers. The issue arises because the BPF program can include unsupported format specifiers, such as '%p%', which are not properly validated. This oversight leads to a kernel warning at runtime, indicating the presence of an invalid format string. The vulnerability occurs in the BPF helper function 'bpf_bprintf_prepare', which incorrectly processes the format specifier, allowing for the introduction of unsupported characters that trigger a warning during execution.

Impact

Exploitation of this vulnerability causes a kernel warning about an unsupported format string, which could potentially be leveraged to disrupt normal system operations or to introduce other vulnerabilities.

Reproduction

To reproduce this vulnerability, create a BPF program that uses the 'bpf_trace_printk' function with a format string that includes '%p%'. When this program is executed, it will generate a kernel warning about the unsupported format, demonstrating the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.