BPF STX Kernel Write Exploit

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:

case BPF_ST: mem[pc->k] = A;                                                           continue; case BPF_STX: mem[pc->k] = X;           continue;

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:

/*        * Check that memory operations use valid addresses. */       if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD &&             (p->code & 0xe0) == BPF_MEM)) &&            p->k >= BPF_MEMWORDS) return 0;

This allows arbitrary locations on the stack to be modified.

This bug was actually fixed in FreeBSD.