Bug 1942667 (CVE-2021-3444)

Summary: CVE-2021-3444 kernel: bpf verifier incorrect mod32 truncation
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, tomckay, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script uses mod32 destination register truncation when the source register was known to be 0. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 15:41:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946619, 1946620, 1946621, 1946622, 1942669, 1945049, 1945050, 1945051, 1945052, 1945053, 1945057    
Bug Blocks: 1942668    

Description Guilherme de Almeida Suckevicz 2021-03-24 17:43:20 UTC 
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution.

Reference:
https://www.openwall.com/lists/oss-security/2021/03/23/2

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b00f1b78809
Comment 1 Guilherme de Almeida Suckevicz 2021-03-24 17:45:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1942669]
Comment 2 Justin M. Forbes 2021-03-25 16:44:49 UTC 
This was fixed for Fedora with the 5.10.19 stable kernel updates.
Comment 3 Alex 2021-03-25 16:46:02 UTC 
Mitigation:

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl.   This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.
For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

# cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Comment 7 Alex 2021-03-31 09:59:10 UTC 
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.