Linux Kernel BPF Read-Only Argument Handling Vulnerability

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation has been addressed. The issue arose when certain maps in Cilium were made read-only from the BPF perspective, revealing a flaw in the bpf_xdp_store_bytes function prototype. The BPF verifier flagged an error because the function was attempting to write into a map designated as read-only, leading to a failure in the verification process. This vulnerability could potentially allow for improper memory access or manipulation within BPF programs, particularly those interacting with XDP (eXpress Data Path) and Cilium maps.

Impact

Exploitation of this vulnerability could result in BPF programs incorrectly handling memory access, particularly with read-only maps, potentially leading to uninitialized memory reads or improper data manipulation.

Reproduction

To reproduce this vulnerability, create a BPF program that interacts with XDP and Cilium maps. Set some of these maps to be read-only from the BPF side. When the BPF program attempts to use the bpf_xdp_store_bytes function to write data into a read-only map, the verifier will throw an error, indicating that the function prototype is incorrect. This error demonstrates the vulnerability, as it highlights a mismatch between the expected and actual handling of read-only map values in the BPF program.

Remediation

The vulnerability has been fixed in the Linux kernel. Users can upgrade to the latest version of the stable Linux kernel to address this issue.