Linux Kernel BPF Verifier Range Refinement Vulnerability

A vulnerability in the Linux kernel's BPF verifier has been addressed. This issue arose from an incorrect range refinement after processing JSET instructions, leading to a violation of range invariants. The vulnerability was triggered by a specific BPF program that, due to the sign extension of a JSET, created an unreachable path. The verifier, unable to accurately assess branch conditions, walked through all branches, resulting in inconsistent register bounds. The vulnerability has been resolved by modifying the verifier to disregard certain range refinements after JSETs, preventing the introduction of invariant violations on dead branches.

Impact

The vulnerability could cause the BPF verifier to produce incorrect register bounds, potentially allowing for the acceptance of invalid BPF programs that could be executed in a privileged context.

Reproduction

The vulnerability can be reproduced by loading a BPF program that includes JSET instructions, such as one that calls 'bpf_get_netns_cookie' and includes conditions that would normally be unreachable. This can be done using a tool like 'syzkaller', which is designed to test the Linux kernel's handling of BPF programs.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.