Bug 1959556 (CVE-2021-3490)

Summary: CVE-2021-3490 kernel: Linux kernel eBPF bitwise ops ALU32 bounds tracking
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, steved, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 5.13 rc4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernels eBPF verification code. It was discovered that eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions could use this flaw to crash the system or possibly escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-10 16:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1963864, 1959557, 1963733, 1963734, 1963735    
Bug Blocks: 1959558    

Description Pedro Sampaio 2021-05-11 18:59:30 UTC 
A flaw was found in the Linux kernels eBPF verification code. It was discovered that eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds.  By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions could use this flaw to crash the system or possibly escalate their privileges on the system.

References:

https://www.openwall.com/lists/oss-security/2021/05/11/11
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e
Comment 1 Pedro Sampaio 2021-05-11 19:00:10 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1959557]