Bug 1912683 (CVE-2021-20194)

Summary: CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, dhoward, dramseur, dvlasenk, fhrbata, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jglisse, jhunter, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, lgoncalv, linville, masami256, mchehab, mgala, mjudeiki, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw buffer overflow in the Linux kernel BPF subsystem was found in the way user running BPF script calling getsockopt. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1918724, 1918726, 1951557, 1926781    
Bug Blocks: 1911540, 1926997    

Description Dhananjay Arunesh 2021-01-05 07:53:19 UTC
There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.

Comment 1 Alex 2021-01-05 09:09:09 UTC
Acknowledgments:

Name: Loris Reiff

Comment 6 Petr Matousek 2021-01-14 12:27:08 UTC
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.

Comment 10 Alex 2021-02-09 13:00:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1926781]

Comment 12 Alex 2021-03-03 18:54:11 UTC
Mitigation:

As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1
This is actual only starting from Red Hat Enterprise Linux 8.

Comment 13 Jiri Benc 2021-03-29 06:19:12 UTC
(In reply to Alex from comment #12)
> As a temporary solution set the following sysctl:
> kernel.unprivileged_bpf_disabled = 1
> This is actual only starting from Red Hat Enterprise Linux 8.

In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)