Bug 1528518 (CVE-2017-16995) - CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
Summary: CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allo...
Status: NEW
Alias: CVE-2017-16995
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20171222,repo...
Keywords: Security
Depends On: 1528638 1528519 1593283
Blocks: 1528364
TreeView+ depends on / blocked
 
Reported: 2017-12-22 02:32 UTC by Sam Fowler
Modified: 2019-02-08 14:56 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Sam Fowler 2017-12-22 02:32:29 UTC
Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.

An unprivileged user could use this flaw to escalate their privileges on a system.

Upstream patch
--------------
  -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30

References:
-----------
  -> http://seclists.org/oss-sec/2017/q4/429
  -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995
  -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
  -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

Mitigation:
-----------
  # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

Comment 1 Sam Fowler 2017-12-22 02:33:30 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1528519]

Comment 6 Eric Christensen 2018-01-02 13:32:32 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 7 Jeremy Cline 2018-01-11 18:55:26 UTC
This was fixed in Fedora as kernel-4.14.11 which pushed to stable on January 4, 2018


Note You need to log in before you can comment on or make changes to this bug.