Bug 1817350 (CVE-2020-8835)
| Summary: | CVE-2020-8835 kernel: out-of-bounds read/write in the bpf verifier | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ppandit, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams, wmealing |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking 32-bit instructions in an eBPF program occurs. This flaw allows an unprivileged user or process to execute eBPF programs to crash the kernel, resulting in a denial of service or potentially gaining root privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-30 22:31:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1818941 | ||
| Bug Blocks: | 1817351 | ||
|
Description
msiddiqu
2020-03-26 08:28:26 UTC
Mitigation:
The Linux kernel versions as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and Red Hat Enterprise Linux MRG 2 are not affected because they did not backport the commit
581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
which introduced this issue. Also by default unprivileged user are not allowed to access bpf(2) syscall.
Fedora kernel allows unprivileged users to access to bpf(2) syscall by default and is prone to this issue. To disable unprivileged access to bpf(2) sycall set following sysctl(8) variable:
# sysctl -w kernel.unprivileged_bpf_disabled=1
Statement: This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and Red Hat Enterprise MRG 2. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1818941] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8835 FEDORA-2020-4ef0bcc89c has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification ^ says apparently 4.4+ we no longer need CAP_SYS_ADMIN to run ebpf by default anymore.. not sure if this is optional to configuration or not. kernel.unprivileged_bpf_disabled; if set to '1', normal users can't use eBPF |