CVE-2021-47607: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-47607 affects the Linux kernel's BPF (Berkeley Packet Filter) implementation. The vulnerability was discovered in the atomic cmpxchg operation where the verifier failed to reject unprivileged programs when R0 contains a pointer as old value. This vulnerability was disclosed on June 19, 2024, affecting Linux kernel versions from 5.12 up to (excluding) 5.15.11, and version 5.16-rc1 through 5.16-rc5 (NVD).

The vulnerability exists in the BPFCMPXCHG implementation where R0 is used as an auxiliary register for both input (old value) and output (returning old value from memory location). The verifier performs safety checks but fails to reject cases where R0 contains a pointer as old value in unprivileged programs. The implementation uses parameters in the format: BPFR0 = cmpxchg{32,64}(DSTREG + insn->off, BPFR0, SRCREG) where DSTREG represents the memory location and SRC_REG contains the new value (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows an unprivileged attacker to leak kernel memory addresses through brute-forcing. According to the patch details, it takes approximately 16 seconds to leak a kernel pointer using BPFCMPXCHG. The exploit works by probing for kernel addresses by storing guessed addresses into map slots as scalars and using the map value pointer as R0 while SRCREG contains a canary value to detect matching addresses (Kernel Patch).

The vulnerability has been fixed by adding additional checks in the verifier to reject cases where R0 contains a pointer value in unprivileged programs. The fix was implemented in the kernel's BPF verifier code by checking R0 for pointers and rejecting such cases for unprivileged programs. Users should upgrade to Linux kernel version 5.15.11 or later to receive the fix (Kernel Patch).