Linux Kernel BPF Interpreter Division Vulnerability Leading to Out-of-Bounds Map Access

A vulnerability in the Linux kernel's BPF interpreter has been addressed, specifically in the signed 32-bit division and modulo operations. The issue arose because these handlers used the kernel's abs() macro on signed 32-bit integers, which is undefined when the value is the minimum possible integer. On arm64 and x86 architectures, this resulted in incorrect behavior that could be exploited to access map values out of bounds. The vulnerability has been fixed by introducing a new function, abs_s32(), that correctly handles the minimum integer value, and by replacing the problematic abs() calls in the division and modulo handlers.

Impact

Exploitation of this vulnerability could lead to out-of-bounds access of map values, potentially causing undefined behavior or memory corruption.

Reproduction

The vulnerability can be reproduced by running a BPF program that performs signed 32-bit division or modulo operations, specifically using values that trigger the undefined behavior of the abs() macro when applied to signed 32-bit integers. This can be done by crafting a BPF program that is loaded into the kernel and executed in a context where the division or modulo operations are performed with the minimum signed 32-bit integer value.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.