Linux Kernel BPF Subsystem NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's BPF subsystem has been identified, leading to a NULL pointer dereference. This issue arises in the 'bpf_prog_test_run_xdp()' function, where an uninitialized pointer causes a crash when a BPF program tries to access the 'txq' member of the 'struct xdp_buff' object. The problem is linked to the handling of expected attachment types for BPF programs, particularly those of type 'BPF_PROG_TYPE_XDP' and 'BPF_PROG_TYPE_CGROUP_SOCK_ADDR'. The vulnerability allows for tailcall compatibility issues, where programs may violate attachment type constraints, potentially leading to unauthorized access or functionality.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected program or process.

Reproduction

The vulnerability can be reproduced by creating two BPF programs of type 'BPF_PROG_TYPE_XDP'. The first program, 'progA', should be set as the entry point for the 'bpf_prog_test_run_xdp()' function, with an expected attachment type that is neither 'BPF_XDP_DEVMAP' nor 'BPF_XDP_CPUMAP'. 'ProgA' will call a slot of a tailcall map it owns. The second program, 'progB', must have an expected attachment type of 'BPF_XDP_DEVMAP' to pass the 'xdp_is_valid_access()' validation. 'ProgB' should be inserted into a tailcall that 'progA' calls, triggering the NULL pointer dereference by attempting to access the 'txq' member of the 'xdp_buff' structure.

Remediation

The vulnerability has been addressed by enforcing the expected attachment type in the '__bpf_prog_map_compatible()' function, ensuring that tailcalls do not violate attachment type constraints. Users should update to the latest version of the Linux kernel where this fix has been applied.