Bug 1912683 (CVE-2021-20194)

Summary: CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, dhoward, dramseur, dvlasenk, fhrbata, hdegoede, hkrzesin, itamar, jarod, jarodwilson, jeremy, jforbes, jhunter, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, lgoncalv, linville, masami256, mchehab, mgala, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw buffer overflow in the Linux kernel BPF subsystem was found in the way user running BPF script calling getsockopt. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 13:46:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1951557, 1918724, 1918726, 1926781    
Bug Blocks: 1911540, 1926997    

Description Dhananjay Arunesh 2021-01-05 07:53:19 UTC 
There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
Comment 1 Alex 2021-01-05 09:09:09 UTC 
Acknowledgments:

Name: Loris Reiff
Comment 6 Petr Matousek 2021-01-14 12:27:08 UTC 
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Comment 10 Alex 2021-02-09 13:00:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1926781]
Comment 12 Alex 2021-03-03 18:54:11 UTC 
Mitigation:

As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1
This is actual only starting from Red Hat Enterprise Linux 8.
Comment 13 Jiri Benc 2021-03-29 06:19:12 UTC 
(In reply to Alex from comment #12)
> As a temporary solution set the following sysctl:
> kernel.unprivileged_bpf_disabled = 1
> This is actual only starting from Red Hat Enterprise Linux 8.

In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)
Comment 25 errata-xmlrpc 2021-11-09 17:21:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 26 errata-xmlrpc 2021-11-09 18:23:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356