CVE-2021-47608

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kernel address leakage in atomic fetch

The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPFFETCH") around checkmem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported out of the program (since scalar != pointer) by dumping it into a map value.

The original implementation of XADD was preventing this situation by using a double call to checkmemaccess() one with BPFREAD and a subsequent one with BPFWRITE, in both cases passing -1 as a placeholder value instead of register as per XADD semantics since it didn't contain a value fetch. The BPFREAD also included a check in checkstackreadfixed_off() which rejects the program if the stack slot is of _ispointervalue() if dstregno < 0. The latter is to distinguish whether we're dealing with a regular stack spill/ fill or some arithmetical operation which is disallowed on non-scalars, see also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged users") for more context on checkmemaccess() and its handling of placeholder value -1.

One minimally intrusive option to fix the leak is for the BPFFETCH case to initially check the BPFREAD case via checkmemaccess() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers.