Linux Kernel LoongArch BPF Sign-Extension Vulnerability in Struct Ops Return Values

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) programs on LoongArch architecture has been identified. This issue arises because the BPF program type 'bpf_fifo_dequeue' returns a pointer, which is incorrectly treated as a 32-bit value and sign-extended to 64 bits. While this is appropriate for most BPF program types, it is not for struct ops, which requires adherence to the LoongArch Application Binary Interface (ABI). The vulnerability was discovered during the 'ns_bpf_qdisc' selftest, which triggered a kernel panic due to an unhandled page fault. The panic occurred in version 6.16.0+ of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by abruptly terminating the 'test_progs' process that was executing the BPF program.

Reproduction

The vulnerability can be reproduced by running the 'ns_bpf_qdisc' selftest, which is part of the BPF testing framework. This selftest will trigger the kernel panic by causing an unhandled page fault, demonstrating the improper sign-extension of return values from BPF programs that interact with struct ops.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. The specific commit that resolves this issue is '8b51b11b3d81c1ed48a52f87da9256d737b723a0', which is included in the official Linux kernel stable releases.