Bug 1923816 (CVE-2021-20268)

Summary: CVE-2021-20268 kernel: eBPF Improper Input Validation
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, carnil, chwhite, dhoward, dramseur, dvlasenk, fhrbata, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jhunter, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, lgoncalv, linville, masami256, mchehab, mgala, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.10.10 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 15:03:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1932448, 1932449, 1932450, 1932451, 1923817, 1926905, 1926906, 1926908    
Bug Blocks: 1923818, 1935371    

Description Pedro Sampaio 2021-02-02 01:13:10 UTC 
A flaw was found in the Linux kernel. Improper Input Validation in the handling of eBPF programs may lead to privilege escalation.

References:

https://www.zerodayinitiative.com/advisories/ZDI-21-101/
Comment 1 Pedro Sampaio 2021-02-02 01:14:01 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1923817]
Comment 2 Justin M. Forbes 2021-02-02 16:08:17 UTC 
This was fixed for Fedora with the 5.10.10 stable kernel updates.
Comment 4 Alex 2021-02-09 08:56:46 UTC 
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Comment 13 Salvatore Bonaccorso 2021-03-05 08:05:55 UTC 
Hi

Could you point to the upstream commit which fixed this issue?

The refernced discussion / proposed patch was not applied as such in the 5.10.y series afaics.
Comment 14 Salvatore Bonaccorso 2021-03-05 08:09:12 UTC 
Okay I suspect this is https://git.kernel.org/linus/bc895e8b2a64e502fbba72748d59618272052a8b ?
Comment 15 RaTasha Tillery-Smith 2021-03-05 14:43:40 UTC 
Mitigation:

As a temporary solution, set the following sysctl:

kernel.unprivileged_bpf_disabled = 1
Comment 16 Alex 2021-03-07 14:51:42 UTC 
In reply to comment #13:
> Hi
> 
> Could you point to the upstream commit which fixed this issue?
> 
> The refernced discussion / proposed patch was not applied as such in the
> 5.10.y series afaics.

The patch is
https://lore.kernel.org/bpf/CACAyw99bEYWJCSGqfLiJ9Jp5YE1ZsZSiJxb4RFUTwbofipf0dA@mail.gmail.com/T/#m8929643e99bea9c18ed490a7bc2591145eac6444
(similar to previously provided link https://lkml.org/lkml/2021/1/26/735 ),
and looks like not applied yet for the upstream (at least cannot find it with https://git.kernel.org/ ).
Comment 17 Alex 2021-03-07 14:51:55 UTC 
External References:

https://lore.kernel.org/bpf/CACAyw99bEYWJCSGqfLiJ9Jp5YE1ZsZSiJxb4RFUTwbofipf0dA@mail.gmail.com/T/#m8929643e99bea9c18ed490a7bc2591145eac6444