Linux Kernel BPF Kprobe Sleepable Program Attachment Vulnerability

A vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the kprobe.multi program handling. The issue arises because the BPF kprobe multi link attachment function did not properly check if the attached program was sleepable. This oversight allowed sleepable helpers, such as bpf_copy_from_user(), to be called from a non-sleepable context, leading to a kernel panic with the message: 'sleeping function called from invalid context'. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a kernel panic by invoking a sleeping function from an invalid context, which is not permissible in the atomic/RCU context where kprobe.multi programs operate.

Reproduction

To reproduce this vulnerability, attach a sleepable kprobe.multi program using the bpf_kprobe_multi_link_attach() function. The program will be attached without the necessary validation, allowing it to invoke sleepable helpers from a non-sleepable context, which will result in a kernel panic.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.