Linux Kernel BPF Scalar Forking Vulnerability in Verifier Function Allows Out-of-Bounds Map Access

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem has been addressed. The issue arose in the BPF verifier's scalar forking logic, specifically within the 'maybe_fork_scalars()' function. This function is invoked for both BPF_AND and BPF_OR operations when the source operand is a constant. The vulnerability occurs when the destination operand (dst) has a signed range of [-1, 0]. In this scenario, the verifier state is forked incorrectly: the pushed path receives dst = 0, while the current path gets dst = -1. This behavior is correct for BPF_AND, but problematic for BPF_OR, leading to a divergence between the verifier's analysis and the actual runtime behavior. Consequently, this divergence can be exploited to access BPF maps out of bounds, potentially causing undefined behavior or crashes.

Impact

Exploitation of this vulnerability allows for out-of-bounds access to BPF maps, which can lead to undefined behavior or crashes.

Reproduction

The vulnerability can be reproduced by creating a BPF program that uses the BPF_OR operation with a constant source operand, while the destination operand has a signed range of [-1, 0]. This will trigger the faulty scalar forking in the verifier, creating a divergence that can be exploited to access BPF maps out of bounds.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.