Bug 1993190 (CVE-2021-38166)

Summary: CVE-2021-38166 kernel: integer overflow and out-of-bounds write in kernel/bpf/hashtab.c when many elements are placed in a single bucket
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jpazdziora, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, tomckay, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.14-rc6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. An integer overflow can allow an out-of-bounds write when many elements are placed in a hash's bucket. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 02:30:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1993191, 1994186, 1994187, 1994188    
Bug Blocks: 1993192    

Description Guilherme de Almeida Suckevicz 2021-08-12 13:56:12 UTC 
A flaw in the Linux kernels bpf implementation allows a local attacker to create an integer overflow resulting in an out-of-bounds write when a hashtable bucket has too many elements inserted.  This is limited to users who are able to use the bpf syscall, and is not enabeled by default on Red Hat Enterprise Linux kernels.

By default there is no action required, if the system has been configured to allow for unprivileged users to use the ebpf subsystem this can be rectified by issuing the command:

# sysctl -w kernel.unprivileged_bpf_disabled=1

To make these changes persistent between boots, insert the same rule using the mechanisms outlined in the man pages for sysctl.d and sysctl.conf


Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=c4eb1f403243fc7bbb7de644db8587c03de36da6
Comment 1 Guilherme de Almeida Suckevicz 2021-08-12 13:56:39 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1993191]