Xu Kuohai

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue concerns the Linux kernel, where a vulnerability has been resolved related to the bpf (Berkeley Packet Filter) functionality. Specifically, the problem arises when bpf programs attached to different kernel functions or hooks can bypass ctx access or return value verification through tail calls. For instance, if a program attached to one function takes only one parameter and another program attached to a different function takes two parameters, the verifier may allow the second program to access the second parameter, assuming it was constructed based on the second function's prototype. However, if the first program passes its context to the second via a tail call, the context is actually constructed from the first function, bypassing the assumption for ctx access verification. A similar issue occurs with return value rules for different hooks. This vulnerability could potentially be exploited to bypass security checks. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider restricting the use of bpf programs attached to different hooks to prevent tail calls between them. Additionally, restrict access to sensitive kernel functions and hooks to minimize the risk of exploitation.