Content: The Linux kernel has always been the core part of any Linux-based systems, handling a multitude of tasks to provide a secure and efficient environment for applications. However, vulnerabilities are still discovered in the kernel that can potentially lead to unauthorized access and remote code execution. Recently, a null pointer dereference vulnerability has been found and resolved in the Linux kernel by modifying the function 'net: Add rx_skb of kfree_skb to raw_tp_null_args[]'. This vulnerability was first reported by Yan Zhai, who discovered that a BPF (Berkeley Packet Filter) program could trigger a null pointer dereference in trace_kfree_skb if the program fails to check if 'rx_sk' is NULL.

To better understand the issue, let's discuss the changes made to fix this vulnerability. The commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added 'rx_sk' to 'trace_kfree_skb'; however, 'rx_sk' is optional and could be NULL. The resolution involves adding 'kfree_skb' to 'raw_tp_null_args[]'. This allows the BPF verifier to validate such a program and prevent the null pointer dereference issue.

As a result of this fix, any attempt to load a problematic BPF program will now fail, as shown in the log output example provided below:

libbpf: prog 'drop': -- BEGIN PROG LOAD LOG --
: R1=ctx() R10=fp
; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21
: (79) r3 = *(u64 *)(r1 +24)
func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock'
1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1)
; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24
1: (69) r4 = *(u16 *)(r3 +16)
R3 invalid mem access 'trusted_ptr_or_null_'
processed 2 insns (limit 100000) max_states_per_insn  total_states  peak_states  mark_read 
-- END PROG LOAD LOG --

Please note that for this fix to work, you need commit 838a10bd2ebf ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"), which augments raw_tp arguments with PTR_MAYBE_NULL.

Here is the exploit details observed prior to this fix

BUG: kernel NULL pointer dereference, address: 000000000000001
 PF: supervisor read access in kernel mode
 PF: error_code(x000) - not-present page
PGD  P4D 
PREEMPT SMP
RIP: 001:bpf_prog_5e21a6db8fcff1aa_drop+x10/x2d
Call Trace:
 <TASK>
 ? __die+x1f/x60
 ? page_fault_oops+x148/x420
 ? search_bpf_extables+x5b/x70
 ? fixup_exception+x27/x2c
 ? exc_page_fault+x75/x170
 ? asm_exc_page_fault+x22/x30
 ? bpf_prog_5e21a6db8fcff1aa_drop+x10/x2d
 bpf_trace_run4+x68/xd
 ? unix_stream_connect+x1f4/x6f
 sk_skb_reason_drop+x90/x120
 unix_stream_connect+x1f4/x6f
 __sys_connect+x7f/xb
 __x64_sys_connect+x14/x20
 do_syscall_64+x47/xc30
 entry_SYSCALL_64_after_hwframe+x4b/x53

With the addition of kfree_skb to raw_tp_null_args[] in the Linux kernel, the null pointer dereference vulnerability (CVE-2025-21852) has been successfully mitigated. This ensures a more secure and stable environment for Linux users and developers alike.

Timeline

Published on: 03/12/2025 10:15:17 UTC
Last modified on: 03/24/2025 15:41:23 UTC