CVE-2021-47607

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix kernel address leakage in atomic cmpxchg&amp;#39;s r0 aux reg<br /> <br /> The implementation of BPF_CMPXCHG on a high level has the following parameters:<br /> <br /> .-[old-val] .-[new-val]<br /> BPF_R0 = cmpxchg{32,64}(DST_REG + insn-&gt;off, BPF_R0, SRC_REG)<br /> `-[mem-loc] `-[old-val]<br /> <br /> Given a BPF insn can only have two registers (dst, src), the R0 is fixed and<br /> used as an auxilliary register for input (old value) as well as output (returning<br /> old value from memory location). While the verifier performs a number of safety<br /> checks, it misses to reject unprivileged programs where R0 contains a pointer as<br /> old value.<br /> <br /> Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer<br /> with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the<br /> guessed address into the map slot as a scalar, and using the map value pointer as<br /> R0 while SRC_REG has a canary value to detect a matching address.<br /> <br /> Fix it by checking R0 for pointers, and reject if that&amp;#39;s the case for unprivileged<br /> programs.