Bug 1233615 (CVE-2015-4700) - CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation
Summary: CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimis...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-4700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1236938 1236939 1236941 1236942 1236943 1236944 1236946 1246323
Blocks: 1226003
TreeView+ depends on / blocked
 
Reported: 2015-06-19 09:44 UTC by Wade Mealing
Modified: 2023-05-12 14:06 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:41:56 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1778 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-09-15 16:03:32 UTC
Red Hat Product Errata RHSA-2015:1788 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2015-09-15 13:38:06 UTC

Description Wade Mealing 2015-06-19 09:44:27 UTC
A flaw was found in the kernels implementation of the Berkly Packet Filter.
Specially crafted BPF code  may be able to crash the system by creating a
situation in which the JIT compiler will fail to correctly optimise
the JIT image on the last pass.  This would to the CPU executing instructions 
that were not part of the JIT code.

Workaround:

This issue does not affect most systems by default. An administrator would need to have enabled the BPF JIT to be affected.

It can be disabled immediately with the command:

#   echo 0 > /proc/sys/net/core/bpf_jit_enable

Or it can be disabled for all subsequent boots of the system by setting a value in  /etc/sysctl.d/44-bpf-jit-disable

## start file ##

net.core.bpf_jit_enable=0

## end file ##


Resources:

http://seclists.org/oss-sec/2015/q2/784
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be

Comment 1 Wade Mealing 2015-06-19 13:18:24 UTC
Acknowledgements:

Red Hat would like to thank Daniel Borkmann for reporting this issue.

Comment 2 Vasyl Kaigorodov 2015-06-26 13:38:35 UTC
CVE assigned: http://seclists.org/oss-sec/2015/q2/785

Comment 6 Wade Mealing 2015-06-30 04:33:14 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1236946]

Comment 7 Wade Mealing 2015-06-30 04:34:23 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6 as it does not contain the affected code. This does not affect the Red Hat Enterprise MRG 2 as it does not enable the affected code at compile time.

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7.

Comment 9 Kurt Seifried 2015-07-16 01:20:31 UTC
Mitigation:

This issue does not affect most systems by default. An administrator would need to have enabled the BPF JIT to be affected.

It can be disabled immediately with the command:

#   echo 0 > /proc/sys/net/core/bpf_jit_enable

Or it can be disabled for all subsequent boots of the system by setting a value in  /etc/sysctl.d/44-bpf-jit-disable

## start file ##

net.core.bpf_jit_enable=0

## end file ##

Comment 14 errata-xmlrpc 2015-09-15 09:39:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1788 https://rhn.redhat.com/errata/RHSA-2015-1788.html

Comment 15 errata-xmlrpc 2015-09-15 12:07:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1778 https://rhn.redhat.com/errata/RHSA-2015-1778.html


Note You need to log in before you can comment on or make changes to this bug.