Bug 1946684 (CVE-2021-29154)
Summary: | CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, d.iskhakov, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jbenc, jeremy, jforbes, jglisse, jlelli, jolsa, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, tomckay, walters, williams, wmealing |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the Linux kernels eBPF implementation. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can abuse a flaw in eBPF to corrupt memory. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-31 11:57:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1950952, 1950953, 1950954, 1950955, 1944798, 1947249, 1947250, 1947251, 1947252, 1947253, 1947631, 1947808 | ||
Bug Blocks: | 1946685 |
Description
Pedro Sampaio
2021-04-06 16:40:41 UTC
Statement: This flaw is rated as having Moderate impact as eBPF requires a privileged user on Red Hat Enterprise Linux to correctly load eBPF instructions that can be exploited. Mitigation: To exploit this flaw, an attacker would need to be a privileged user. The eBPF JIT can not be disabled in the versions of the kernel that ship with RHEL9. Preventing unprivileged users from becoming root or CAP_SYS_ADMIN , would be enough to prevent an attacker from successfully exploiting this flaw. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1947631] The following options does not work in Fedora 33: [root@test ~]# sysctl net.core.bpf_jit_enable=0 sysctl: setting key "net.core.bpf_jit_enable": Invalid argument [root@test ~]# echo 0 > /proc/sys/net/core/bpf_jit_enable -bash: echo: write error: Invalid argument I think it has something to do with the kernel build option CONFIG_BPF_JIT_ALWAYS_ON=y Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=e4d4d456436bfb2fe412ee2cd489f7658449b098 Yeah, it looks like CONFIG_BPF_JIT_ALWAYS_ON=y is the default for el7 and el8. This mitigation isn't going to work. Fortunately, it's still behind a privileged user requirement to execute eBPF. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3327 https://access.redhat.com/errata/RHSA-2021:3327 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3328 https://access.redhat.com/errata/RHSA-2021:3328 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29154 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988 |