Linux Kernel RISC-V Sign Extension Vulnerability in BPF Operations

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) operations on RISC-V architecture has been identified. This issue arises because the BPF program's return values, specifically those related to 'struct ops', are not correctly sign-extended before being used. The vulnerability can lead to a kernel panic, as demonstrated by the 'ns_bpf_qdisc' selftest, which triggers a crash by attempting to access an invalid memory address. The problem is rooted in the BPF JIT (Just-In-Time) compiler for RISC-V, where pointers returned by BPF programs are incorrectly treated as 32-bit values, causing improper memory access and a subsequent kernel paging request error.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by running the 'ns_bpf_qdisc' selftest with the 'test_progs' program. This selftest will trigger a kernel panic by accessing a virtual address that is not valid, causing the kernel to crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 'fd2e08128944a7679e753f920e9eda72057e427c', which is included in the official Linux kernel repositories.