Bug 2010090 (CVE-2021-20320)

Summary: CVE-2021-20320 kernel: s390 eBPF JIT miscompilation issues fixes
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, chwhite, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, swood, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.15 rc3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2012561, 2012691, 2012692, 2012693    
Bug Blocks: 2005824, 2013145    

Description Rohit Keshri 2021-10-03 15:58:21 UTC
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel . In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.

Uncovered three miscompilation issues in the s390 eBPF JIT. They can be used by an unprivileged local user to circumvent the verifier and gain root privileges. This series fixes all 3; no new tests are required since Johan's tests will be integrated upstream.

- 2 fixes are for initial s390x eBPF JIT compiler backend implementation, v4.1+
- 1 fix v5.5+

https://lore.kernel.org/bpf/20210902185229.1840281-1-johan.almbladh@anyfinetworks.com/

Comment 1 Rohit Keshri 2021-10-10 09:50:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2012561]

Comment 9 Justin M. Forbes 2021-10-13 13:44:25 UTC
This was fixed for Fedora with the 5.14.7 stable kernel update.