Linux Kernel BPF Register ID Reset Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem has been addressed. The issue arose because the BPF_END operation, which swaps bytes in a register, altered the register's scalar value without properly resetting its scalar ID. This oversight could lead to incorrect value tracking, especially if the register had previously shared an ID with another register. As a result, conditional jumps could be misled about the register's value, potentially causing out-of-bounds memory accesses. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could lead to incorrect value propagation between registers, allowing for potential out-of-bounds memory accesses, which could be exploited to read or write outside the intended memory boundaries.

Reproduction

To reproduce this vulnerability, a BPF program can be crafted that uses the BPF_END instruction to swap the bytes of a register that shares a scalar ID with another register. After the byte swap, a conditional jump can be made based on the swapped register. The verifier will incorrectly propagate the learned bounds to the linked register, creating a false sense of security about the register's value. This can be tested by monitoring for out-of-bounds memory accesses as a result of the incorrect value propagation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux kernel stable tree.