Bug 1233615 – CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1233615 - (CVE-2015-4700) CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation

Summary:	CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimis...

Status:	NEW

Aliases:	CVE-2015-4700

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150623,repo...
Keywords:	Security

Depends On:	1236938 1236939 1236941 1236942 1236943 1236944 1236946 1246323
Blocks:	1226003
	Show dependency tree / graph

Reported:	2015-06-19 05:44 EDT by Wade Mealing
Modified:	2018-08-28 17:59 EDT (History)
CC List:	35 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1778	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2015-09-15 12:03:32 EDT
Red Hat Product Errata	RHSA-2015:1788	normal	SHIPPED_LIVE	Important: kernel-rt security, bug fix, and enhancement update	2015-09-15 09:38:06 EDT

Groups: None (edit)

Description Wade Mealing 2015-06-19 05:44:27 EDT

A flaw was found in the kernels implementation of the Berkly Packet Filter.
Specially crafted BPF code  may be able to crash the system by creating a
situation in which the JIT compiler will fail to correctly optimise
the JIT image on the last pass.  This would to the CPU executing instructions 
that were not part of the JIT code.

Workaround:

This issue does not affect most systems by default. An administrator would need to have enabled the BPF JIT to be affected.

It can be disabled immediately with the command:

#   echo 0 > /proc/sys/net/core/bpf_jit_enable

Or it can be disabled for all subsequent boots of the system by setting a value in  /etc/sysctl.d/44-bpf-jit-disable

## start file ##

net.core.bpf_jit_enable=0

## end file ##


Resources:

http://seclists.org/oss-sec/2015/q2/784
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be

Comment 1 Wade Mealing 2015-06-19 09:18:24 EDT

Acknowledgements:

Red Hat would like to thank Daniel Borkmann for reporting this issue.

Comment 2 Vasyl Kaigorodov 2015-06-26 09:38:35 EDT

CVE assigned: http://seclists.org/oss-sec/2015/q2/785

Comment 6 Wade Mealing 2015-06-30 00:33:14 EDT

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1236946]

Comment 7 Wade Mealing 2015-06-30 00:34:23 EDT

Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6 as it does not contain the affected code. This does not affect the Red Hat Enterprise MRG 2 as it does not enable the affected code at compile time.

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7.

Comment 9 Kurt Seifried 2015-07-15 21:20:31 EDT

Mitigation:

This issue does not affect most systems by default. An administrator would need to have enabled the BPF JIT to be affected.

It can be disabled immediately with the command:

#   echo 0 > /proc/sys/net/core/bpf_jit_enable

Or it can be disabled for all subsequent boots of the system by setting a value in  /etc/sysctl.d/44-bpf-jit-disable

## start file ##

net.core.bpf_jit_enable=0

## end file ##

Comment 14 errata-xmlrpc 2015-09-15 05:39:39 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1788 https://rhn.redhat.com/errata/RHSA-2015-1788.html

Comment 15 errata-xmlrpc 2015-09-15 08:07:17 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1778 https://rhn.redhat.com/errata/RHSA-2015-1778.html

Note You need to log in before you can comment on or make changes to this bug.

aquini
arm-mgr
bhu
blc
carnil
dhoward
esammons
fhrbata
gansalmon
iboverma
itamar
jforbes
jiji
jkacur
joelsmith
jonathan
jross
jwboyer
kernel-maint
kernel-mgr
lgoncalv
madhu.chinakonda
matt
mchehab
mcressma
mlangsdo
nmurray
plougher
pmatouse
rt-maint
rvrbovsk
security-response-team
slong
vgoyal
williams