Linux Kernel BPF Socket Address Access Validation Vulnerability

A vulnerability in the Linux kernel's handling of BPF socket address programs has been addressed. The issue arose because the BPF socket address structure contains an implicit padding after the IPv4 source address, which was not properly validated. This oversight allowed for invalid access to the padding, leading to a kernel verifier error. The vulnerability was discovered using Syzkaller, a fuzzing tool that identified the warning during context access conversion. The patch resolves the issue by explicitly checking the fields of the BPF socket address in the access validation function, ensuring that the padding is not improperly accessed.

Impact

The vulnerability could cause a kernel verifier bug, leading to errors during context access conversion, which can disrupt the normal operation of BPF programs that handle socket addresses.

Reproduction

The vulnerability can be reproduced by creating a BPF program that accesses the socket address structure. Specifically, the program should read a value from an offset that corresponds to the implicit padding after the 'msg_src_ip4' field. This access will trigger the verifier bug, as the padding is not properly validated, causing an error during context access conversion.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patched version can be downloaded from the Linux kernel Git repository.