In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix re-attachment branch in bpftracingprog_attach
The following case can cause a crash due to missing attach_btf:
1) load rawtp program 2) load fentry program with rawtp as targetfd 3) create tracing link for fentry program with targetfd = 0 4) repeat 3
In the end we have:
the program was loaded for tgt_prog but we have no way to find out which one
BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? _die+0x20/0x70 ? pagefaultoops+0x15b/0x430 ? fixupexception+0x22/0x330 ? excpagefault+0x6f/0x170 ? asmexcpagefault+0x22/0x30 ? bpftracingprogattach+0x279/0x560 ? btfobjid+0x5/0x10 bpftracingprogattach+0x439/0x560 _sysbpf+0x1cf4/0x2de0 _x64sysbpf+0x1c/0x30 dosyscall64+0x41/0xf0 entrySYSCALL64afterhwframe+0x6e/0x76
Return -EINVAL in this situation.