In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot...
🔗 CVE IDs covered (1)
📋 Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: return VMA snapshot from task_vma iterator
Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock:
vm_lock -> i_rwsem -> mmap_lock -> vm_lock
Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot.
The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-53084
- https://git.kernel.org/stable/c/13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8
- https://git.kernel.org/stable/c/4cbee026db54cad39c39db4d356100cb133412b3
- https://git.kernel.org/stable/c/592226d138378601ae28eb890e2bbc23ec3600f7
- https://git.kernel.org/stable/c/83b8802c034e843b83a3e1ef6f30cdd4e9ec291c
- https://github.com/advisories/GHSA-cmp2-w8c6-7f92