LoongArch: BPF: Prevent out-of-bounds memory access

When running the test_tag test, an unhandled page fault is triggered. The vulnerability lies in the Linux kernel's BPF (Berkeley Packet Filter) implementation for LoongArch, a recently introduced architecture. This post will provide further details on the exploit, a code snippet demonstrating the fault, and links to the original references.

Exploit Details

The issue is caused by an out-of-bounds memory access in BPF, resulting in a page fault when attempting to access an invalid memory address. On systems with CONFIG_PAGE_SIZE_16KB=y, the test failed when loading a BPF program with 2039 instructions.

To better understand the issue, let's take a look at the code snippet below

...
[  130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb400 sp 9000000104cb7a40
[  130.641001] a ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 000000000000000
...
...
[  130.645539] Code: 380839f6  380831f9  28412bae <24000ca6> 004081ad  0014cb50  004083e8  02bff34c  58008e91
[  130.645729]
[  130.646418] ---[ end trace 000000000000000 ]---

The full details of the vulnerability can be found in the following references

- OSF Gitlab Merge Request
- LoongArch Linux Part 6 Discussion

Resolution

The vulnerability has been addressed by preventing out-of-bounds memory access in the BPF implementation for LoongArch. Users are advised to update their Linux kernel to the latest version containing the patch addressing this issue.

Conclusion

CVE-2024-26588 demonstrates the importance of continuous testing, security review, and patching in the ever-evolving world of the Linux kernel. Thanks to the efforts of the Linux kernel community and the LoongArch developers, this issue has been resolved, ensuring greater system stability and security for users. Be sure to stay updated on the latest kernel developments and patches to maintain the best possible protection for your Linux systems.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/18/2024 18:02:15 UTC