Bug 1529123 (CVE-2017-17863)

Summary: CVE-2017-17863 kernel: integer overflow in static int check_alu_op function in bpf/verifier.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jolsa, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, ppandit, psampaio, rt-maint, rvrbovsk, skozina, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:34:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1529125, 1535005    
Bug Blocks: 1528364    

Description Pedro Sampaio 2017-12-26 14:33:08 UTC 
kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.

References:

https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch?h=stretch-security
https://www.spinics.net/lists/stable/msg206985.html
Comment 1 Pedro Sampaio 2017-12-26 14:48:32 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1529125]
Comment 3 Prasad Pandit 2018-01-18 05:24:36 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Comment 5 Jiri Olsa 2019-01-09 09:02:53 UTC 
(In reply to Pedro Sampaio from comment #0)
> kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not
> check the relationship between pointer values and the BPF stack, which
> allows local users to cause a denial of service (integer overflow or invalid
> memory access) or possibly have unspecified other impact.
> 
> References:
> 
> https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/
> all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch?h=stretch-
> security
> https://www.spinics.net/lists/stable/msg206985.html

based on info from BZ1529120 is the requested 4.9 patch:
  bpf: reject out-of-bounds stack pointer calculation

counterpart to upstream:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=179d1c5602997fef5a940c6ddcf31212cbfebd14.

please let me know if that's correct or provide nother upstream patch

thanks,
jirka
Comment 6 Pedro Sampaio 2019-01-09 17:03:49 UTC 
Yes, I could confirm that the 4.9 patch aims to reflect the same behavior of this counterpart patch on the newer upstream code.