Linux Kernel BPF Devmap Stack-Out-of-Bounds Write Vulnerability

A stack-out-of-bounds write vulnerability has been identified in the Linux kernel's BPF devmap functionality. The issue arises in the 'get_upper_ifindexes()' function, which collects indices of upper devices into an array without proper bounds checking. This flaw can lead to overwriting adjacent memory on the stack. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a stack-based buffer overflow, potentially leading to arbitrary code execution or corruption of stack data, which could be exploited to gain control of the execution flow.

Reproduction

To reproduce this vulnerability, create more than eight macvlan interfaces on a network device that has an XDP (Express Data Path) program attached, using the BPF flags to broadcast and exclude ingress. Then, send a packet to the device, which will trigger the XDP redirect process, causing the out-of-bounds write.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.