Bug 1454647 (CVE-2017-9150)

Summary: CVE-2017-9150 kernel: eBPF verifier log leaks lower half of map pointer
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, blc, dhoward, esammons, fhrbata, gansalmon, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mlangsdo, nmurray, pholasek, plougher, rt-maint, rvrbovsk, slawomir, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-13 16:24:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1454648, 1461952    
Bug Blocks: 1454650    

Description Adam Mariš 2017-05-23 09:04:45 UTC 
The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive kernel information address information via crafted bpf system calls.

Upstream patch:

https://github.com/torvalds/linux/commit/0d0e57697f162da4aa218b5feafe614fb666db07

External References:

https://packetstormsecurity.com/files/142630/GS20170523000807.txt
Comment 1 Adam Mariš 2017-05-23 09:05:28 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1454648]
Comment 2 Wade Mealing 2017-05-30 02:36:45 UTC 
Statement:
Comment 3 Wade Mealing 2017-05-30 02:37:07 UTC 
Statement:

This issue did not affect the versions of the kernel as shipped with Red Hat Enterprise Linux 5, 6,7 and MRG2/realtime kernels.
Comment 6 Justin M. Forbes 2017-05-30 14:39:11 UTC 
This issue was resolved with the 4.11.1 and newer kernels for Fedora