security vulnerability in ubpf_interpreter

[Angen-Bubbling]

Hi developers,
We have identified a flaw in the ubpf_interpreter, which may lead to undefined behavior.

Description

When encountering BPF_XCHG or BPF_CMPXCHG, the ubpf_interpreter and ubpf_jit may behave differently. According to the Linux kernel documentation, the BPF_FETCH flag should always be set for complex atomic operations. However, the ubpf_interpreter accepts instructions such as BPF_XCHG even if the BPF_FETCH flag is not set. The interpreter executes the instruction without modifying the source operand. Meanwhile, ubpf_jit does not check the BPF_FETCH flag and defaults to using lock xchg on x86.

The attached file contains the BPF bytecode, which will cause invalid memory access. It should fail to execute with ubpf_interpreter due to the BPF_XCHG instruction, but instead, it runs successfully. And finally, it causes a segmentation fault after ubpf_jit’s translation.

bytecode&harness.zip

Stack Dump
# 0 ubpf_exec_ex (vm=0x611000000040, mem=0x631000014800, mem_len=65536, bpf_return_value=0x7fffffffe180, stack_start=0x621000000100 "", stack_length=4096)
# 1 0x000055555565e9b1 in call_ubpf_interpreter (program_code=std::vector of length 48, capacity 64 = {...}, memory=std::vector of length 65536, capacity 65536 = {...},
ubpf_stack=std::vector of length 4096, capacity 4096 = {...}, interpreter_result=@0x7fffffffe180: 0)
# 2 0x0000555555661dbf in main (argc=2, argv=0x7fffffffe4f8)