Linux Kernel BPF Atomic Fetch Precision Tracking Vulnerability Pruning Issue

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier can lead to incorrect path pruning due to improper handling of atomic fetch instructions. When the backtrack_insn function processes a BPF_STX instruction marked as BPF_ATOMIC and BPF_FETCH, the source register (or r0 for BPF_CMPXCHG) also serves as a destination, receiving the old value from the specified memory location. However, the existing backtracking logic fails to recognize this, treating atomic fetches like standard store operations where the source register is merely an input. This oversight causes the verifier to inaccurately propagate precision to the stack, leaving it unmarked and potentially leading to erroneous equivalence assessments between divergent stack states during path pruning. Consequently, branches that should be recognized as distinct may be incorrectly pruned as equivalent.

Impact

The vulnerability can cause the BPF verifier to mismanage stack precision, allowing for incorrect equivalence assessments between branches, which can disrupt proper program verification and potentially enable the acceptance of unsafe BPF programs.

Reproduction

To reproduce this issue, create a BPF program that includes atomic fetch operations combined with BPF_STX instructions. The BPF verifier will incorrectly prune paths based on flawed precision tracking, allowing branches to be treated as equivalent when they should not be.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.