Linux Kernel BPF PROBE_MEM32 Constant Blinding Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem allows user-controlled 32-bit immediates to bypass constant blinding and be executed as part of JIT-compiled native code. This issue arises in kernels where 'bpf_jit_harden' is set to 1 or higher. The problem occurs because the BPF verifier rewrites certain memory store instructions to use a probing mechanism, which is not properly handled by the JIT compiler's blinding process. As a result, the immediates remain unprotected and can be manipulated during execution.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution by allowing user-controlled data to be injected into JIT-compiled code, bypassing the intended security measures.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses the 'BPF_ST' instruction with the 'BPF_PROBE_MEM32' flag, targeting an arena pointer store. This can be done by writing a BPF program that manipulates memory in a way that the verifier rewrites the store instructions to use the probing mechanism. Once the program is loaded with 'bpf_jit_harden' set to 1, the unblinded immediates can be observed in the executed native code.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.