| The vulnerability occurs in the Linux kernel's Berkeley Packet Filter (BPF) subsystem, specifically in the JIT compiler for x64 architectures. The issue arises from a bug introduced in kernel version 5.10 with commit e411901c0b77, which allowed for tail calls in BPF subprograms. |
| |
| The problem is that the `env->prog->aux->tail_call_reachable` flag is not properly propagated to the outer program's auxiliary data structure. This causes the rejection check upon JIT failure to fail, leading to incorrect behavior. |
| |
| The vulnerability affects the `kernel/bpf/verifier.c` file and can be exploited by an attacker who can craft a malicious BPF program that takes advantage of the incorrect tail call handling. |
| |
| To fix this issue, the kernel team added a propagation step in the `check_max_stack_depth()` function to ensure that the `tail_call_reachable` flag is correctly set for the outer program's auxiliary data structure. |
| |
| The vulnerability was fixed in kernel versions 5.10.54, 5.13.6, and 5.14 with commits 39f1735c8107, cbb086074dab, and 5dd0a6b8582f, respectively. Users are recommended to update to the latest stable kernel version to fix this issue. |
| |
