CVE-2018-25020: 
Linux Kernel vulnerability analysis and mitigation

CVE-2018-25020 affects the BPF subsystem in the Linux kernel versions before 4.17. The vulnerability was disclosed on December 8, 2021, and involves mishandling of situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This vulnerability specifically impacts the kernel/bpf/core.c and net/core/filter.c components (NVD, MITRE).

The vulnerability occurs when a long jump crosses a boundary over instruction sequences that require heavy expansions into multiple BPF instructions. With BPF hardening enabled, constant values need to be rewritten to blind them, requiring bpfadjbranches() to adjust branch targets crossing the patchlet boundary. This adjustment can lead to target offsets that cannot fit into insn->off's upper 0x7fff limit, causing the offset to wrap around and become negative in s16 universe (GitHub Commit). The vulnerability has been assigned a CVSS 3.1 score of 7.8 (High) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Ubuntu).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects both native eBPF and cBPF to eBPF migrations (NetApp Advisory).

The vulnerability has been fixed in Linux kernel version 4.17 and later. The fix involves detecting and rejecting occasions where offset truncation could occur, both in native eBPF and cBPF to eBPF migrations. For cBPF to eBPF migrations, bounds are checked in the bpfconvertfilter()'s BPFEMITJMP helper macro. For native eBPF, bpfpatchinsn_single() includes additional checks to detect problematic offsets before program reallocation (GitHub Commit).