Linux Kernel Netdevsim Driver BPF Program List Race Condition Vulnerability

A race condition vulnerability has been identified in the netdevsim driver of the Linux kernel. This issue arises from the lack of a protection mechanism for operations on the bpf_bound_progs list. When the function nsim_bpf_create_prog adds a program to the list, it may collide with the nsim_bpf_destroy_prog function, which simultaneously removes a program. Such concurrent modifications can corrupt the list and lead to a kernel crash, as indicated by a 'kernel BUG' message and an 'invalid opcode' error. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a kernel crash due to list corruption, triggered by concurrent addition and deletion operations on the bpf_bound_progs list.

Reproduction

To reproduce this vulnerability, load a BPF program onto a netdevsim device. While the program is loaded, simultaneously unload it. The race condition will cause a crash, as the addition and removal operations on the bpf_bound_progs list interfere with each other, leading to list corruption.

Remediation

The vulnerability has been addressed by adding a mutex lock to synchronize access to the bpf_bound_progs list, preventing simultaneous addition and deletion operations. Users should update to the patched version of the Linux kernel where this fix is applied.