CVE-2021-47608

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix kernel address leakage in atomic fetch<br /> <br /> The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers<br /> in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since<br /> this would allow for unprivileged users to leak kernel pointers. For example,<br /> an atomic fetch/and with -1 on a stack destination which holds a spilled<br /> pointer will migrate the spilled register type into a scalar, which can then<br /> be exported out of the program (since scalar != pointer) by dumping it into<br /> a map value.<br /> <br /> The original implementation of XADD was preventing this situation by using<br /> a double call to check_mem_access() one with BPF_READ and a subsequent one<br /> with BPF_WRITE, in both cases passing -1 as a placeholder value instead of<br /> register as per XADD semantics since it didn&amp;#39;t contain a value fetch. The<br /> BPF_READ also included a check in check_stack_read_fixed_off() which rejects<br /> the program if the stack slot is of __is_pointer_value() if dst_regno