Linux Kernel BPF CO-RE Accessor Index Vulnerability Leading to Kernel Crash

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem allows for a kernel crash due to improper handling of negative indices in CO-RE (Compile Once - Run Everywhere) accessor strings. This issue arises in versions of the Linux kernel that include BTF (Berkley Type Format) information, such as 'task_struct', and is triggered during the loading of crafted BPF programs. The vulnerability is present in the stable Linux kernel through version 7.0.0-rc6.

Impact

Exploitation of this vulnerability causes a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, create a BPF program that includes a negative CO-RE accessor index, such as -1, targeting a struct available in vmlinux BTF. Load this program using the BPF_PROG_LOAD syscall on a system with CONFIG_DEBUG_INFO_BTF enabled, which is the default for major distributions. The kernel will crash during the loading process, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.