Andrii Nakryiko

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue is related to a use-after-free (UAF) vulnerability in the Linux kernel's BPF uprobe attachments. Uprobes use `bpf prog run array uprobe()` under tasks-trace-RCU protection, but it is possible to attach a non-sleepable BPF program to a uprobe. Non-sleepable BPF programs are freed via normal RCU, which can lead to UAF of the `bpf prog` because a normal RCU grace period does not imply a tasks-trace-RCU grace period. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider restricting the use of non-sleepable BPF programs with uprobe attachments until a patch is available. Avoid using the `bpf prog run array uprobe()` function under tasks-trace-RCU protection with non-sleepable BPF programs.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null-pointer dereference in the libbpf component of the Linux kernel. Specifically, in the `bpf objec load prog()` function, there is no guarantee that `obj->btf` is non-NULL when passed to `btf fd()`, which does not perform any checks before dereferencing its argument. This can lead to segmentation fault errors when trying to load programs without BTF information, for example, in bpftool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's Berkeley Packet Filter (BPF) functionality, where the arithmetic for checking stack bounds was done in the 32-bit domain, potentially leading to integer overflows when adding a 64-bit register with an integer offset. The offset could come from an instruction, another register, or the size of an argument to a kernel function, and the inconsistent checking of the register's value could lead to overflows. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A bug in the Linux kernel has been identified, related to the combination of JIT blinding and pointers to BPF subprogs. This issue causes a page fault when the kernel attempts to access an invalid address, resulting in a supervisor instruction fetch in kernel mode. The problem arises from the JIT blinding logic failing to recognize special instructions, specifically `ld imm64` with an address of a BPF subprogram, and randomizing it. This leads to the second JIT phase missing the adjustment of the special `ld imm64` instruction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.