Description
In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.
Affected products
- Linux / Linux4ac4546821584736798aaa9e97da9f6eaf689ea3 – 83b8802c034e843b83a3e1ef6f30cdd4e9ec291c
- Linux / Linux4ac4546821584736798aaa9e97da9f6eaf689ea3 – 592226d138378601ae28eb890e2bbc23ec3600f7
- Linux / Linux4ac4546821584736798aaa9e97da9f6eaf689ea3 – 13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8
- Linux / Linux4ac4546821584736798aaa9e97da9f6eaf689ea3 – 4cbee026db54cad39c39db4d356100cb133412b3
- Linux / Linux6.7 – 6.7
- Linux / Linux0 – 6.7
- Linux / Linux6.12.91 – 6.12.*
- Linux / Linux6.18.33 – 6.18.*
- Linux / Linux7.0.10 – 7.0.*
- Linux / Linux7.1 – *
References
- MISChttps://git.kernel.org/stable/c/83b8802c034e843b83a3e1ef6f30cdd4e9ec291c
- MISChttps://git.kernel.org/stable/c/592226d138378601ae28eb890e2bbc23ec3600f7
- MISChttps://git.kernel.org/stable/c/13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8
- MISChttps://git.kernel.org/stable/c/4cbee026db54cad39c39db4d356100cb133412b3