Bug 2044578 (CVE-2022-0500)

Summary: CVE-2022-0500 kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bhu, carnil, chwhite, crwood, dfreiber, drow, dvlasenk, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, vmalik, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.17-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2045103, 2045104, 2045105, 2045106, 2056248    
Bug Blocks: 2044579, 2050770    

Description Pedro Sampaio 2022-01-24 19:05:54 UTC 
Linux ebpf logic vulnerability leads to critical memory read and write,An attacker with cap_bpf can gain root privileges or container escape.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=2040599
Comment 8 Alex 2022-02-20 13:50:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2056248]
Comment 10 Salvatore Bonaccorso 2022-02-21 07:32:03 UTC 
Hi Pedro

The information is quite scarce here to determine which kernel versions are affected by the issue. Can you point to the upstream fix in 5.17-rc1 which fixes the issue? I'm interested to correctly track this CVE in another downstream distribution.

Many thanks already!

Regards,
Salvatore
Comment 11 Pedro Sampaio 2022-02-21 13:06:46 UTC 
In reply to comment #10:
> Hi Pedro
> 
> The information is quite scarce here to determine which kernel versions are
> affected by the issue. Can you point to the upstream fix in 5.17-rc1 which
> fixes the issue? I'm interested to correctly track this CVE in another
> downstream distribution.
> 
> Many thanks already!
> 
> Regards,
> Salvatore

You can find the related commits here:

https://access.redhat.com/security/cve/CVE-2022-0500
Comment 12 Salvatore Bonaccorso 2022-02-21 13:14:23 UTC 
Hi Pedro,

(In reply to Pedro Sampaio from comment #11)
> In reply to comment #10:
> > Hi Pedro
> > 
> > The information is quite scarce here to determine which kernel versions are
> > affected by the issue. Can you point to the upstream fix in 5.17-rc1 which
> > fixes the issue? I'm interested to correctly track this CVE in another
> > downstream distribution.
> > 
> > Many thanks already!
> > 
> > Regards,
> > Salvatore
> 
> You can find the related commits here:
> 
> https://access.redhat.com/security/cve/CVE-2022-0500

Thank you!
Comment 13 Salvatore Bonaccorso 2022-02-21 13:18:35 UTC 
Pedro, I wonder this is not duplicating CVE-2022-23222 right because treating a different aspect?
Comment 14 Salvatore Bonaccorso 2022-02-24 08:21:50 UTC 
Given https://lore.kernel.org/stable/20220216225209.2196865-1-haoluo@google.com/ this would be separate from CVE-2022-23222 and the fix for this vulnerability is the there mentioned 7th patch ("bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM").
Comment 29 errata-xmlrpc 2024-02-07 16:28:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724
Comment 31 errata-xmlrpc 2024-05-22 09:12:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
Comment 32 errata-xmlrpc 2024-05-22 09:48:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138
Comment 33 errata-xmlrpc 2024-11-26 00:47:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:10262 https://access.redhat.com/errata/RHSA-2024:10262