Linux Kernel BPF Stackmap Overflow Vulnerability in Stack ID Retrieval Function

A stack buffer overflow vulnerability has been identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the `__bpf_get_stackid()` function. This vulnerability arises when the performance trace includes more stack entries than the corresponding stack map bucket can accommodate. As a result, the excess entries cause a write operation to exceed the allocated memory bounds, potentially leading to memory corruption. The issue was reported by Syzkaller and is associated with KASAN (Kernel Address Sanitizer) detection of the out-of-bounds write.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using a BPF program that retrieves stack IDs while the performance trace contains an excessive number of stack entries. This can be achieved by manipulating the trace data to exceed the stack map bucket's capacity, triggering the out-of-bounds write during the stack ID retrieval process.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux kernel Git repository under the stable branch.