Bug 1923816 (CVE-2021-20268) - CVE-2021-20268 kernel: eBPF Improper Input Validation
Summary: CVE-2021-20268 kernel: eBPF Improper Input Validation
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1932448 1932449 1932450 1932451 1923817 1926905 1926906 1926908
Blocks: 1923818 1935371
TreeView+ depends on / blocked
 
Reported: 2021-02-02 01:13 UTC by Pedro Sampaio
Modified: 2023-12-14 18:06 UTC (History)
48 users (show)

Fixed In Version: kernel 5.10.10
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-11-09 15:03:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-02 01:13:10 UTC 
A flaw was found in the Linux kernel. Improper Input Validation in the handling of eBPF programs may lead to privilege escalation.

References:

https://www.zerodayinitiative.com/advisories/ZDI-21-101/
Comment 1 Pedro Sampaio 2021-02-02 01:14:01 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1923817]
Comment 2 Justin M. Forbes 2021-02-02 16:08:17 UTC 
This was fixed for Fedora with the 5.10.10 stable kernel updates.
Comment 4 Alex 2021-02-09 08:56:46 UTC 
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Comment 13 Salvatore Bonaccorso 2021-03-05 08:05:55 UTC 
Hi

Could you point to the upstream commit which fixed this issue?

The refernced discussion / proposed patch was not applied as such in the 5.10.y series afaics.
Comment 14 Salvatore Bonaccorso 2021-03-05 08:09:12 UTC 
Okay I suspect this is https://git.kernel.org/linus/bc895e8b2a64e502fbba72748d59618272052a8b ?
Comment 15 RaTasha Tillery-Smith 2021-03-05 14:43:40 UTC 
Mitigation:

As a temporary solution, set the following sysctl:

kernel.unprivileged_bpf_disabled = 1
Comment 16 Alex 2021-03-07 14:51:42 UTC 
In reply to comment #13:
> Hi
> 
> Could you point to the upstream commit which fixed this issue?
> 
> The refernced discussion / proposed patch was not applied as such in the
> 5.10.y series afaics.

The patch is
https://lore.kernel.org/bpf/CACAyw99bEYWJCSGqfLiJ9Jp5YE1ZsZSiJxb4RFUTwbofipf0dA@mail.gmail.com/T/#m8929643e99bea9c18ed490a7bc2591145eac6444
(similar to previously provided link https://lkml.org/lkml/2021/1/26/735 ),
and looks like not applied yet for the upstream (at least cannot find it with https://git.kernel.org/ ).
Comment 17 Alex 2021-03-07 14:51:55 UTC 
External References:

https://lore.kernel.org/bpf/CACAyw99bEYWJCSGqfLiJ9Jp5YE1ZsZSiJxb4RFUTwbofipf0dA@mail.gmail.com/T/#m8929643e99bea9c18ed490a7bc2591145eac6444
Note You need to log in before you can comment on or make changes to this bug.