Bug 1817350 (CVE-2020-8835) - CVE-2020-8835 kernel: out-of-bounds read/write in the bpf verifier
Summary: CVE-2020-8835 kernel: out-of-bounds read/write in the bpf verifier
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-8835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1818941
Blocks: 1817351
TreeView+ depends on / blocked
 
Reported: 2020-03-26 08:28 UTC by msiddiqu
Modified: 2020-05-22 00:26 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking 32-bit instructions in an eBPF program occurs. This flaw allows an unprivileged user or process to execute eBPF programs to crash the kernel, resulting in a denial of service or potentially gaining root privileges on the system.
Clone Of:
Environment:
Last Closed: 2020-03-30 22:31:50 UTC


Attachments (Terms of Use)

Description msiddiqu 2020-03-26 08:28:26 UTC
An out-of-bounds access issue was found in the eBPF code verifier implemented in the Linux kernel. It occurs due to incorrect register bounds calculation while checking 32bit instructions in a eBPF program.

An unprivileged user/process able to execute eBPF programs could use this flaw to crash the kernel resulting in DoS or potentially gain root privileges on the system.

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/03/30/3

Comment 1 Prasad J Pandit 2020-03-27 12:37:22 UTC
Mitigation:

The Linux kernel versions as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and Red Hat Enterprise Linux MRG 2 are not affected because they did not backport the commit

  581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")

which introduced this issue. Also by default unprivileged user are not allowed to access bpf(2) syscall.

Fedora kernel allows unprivileged users to access to bpf(2) syscall by default and is prone to this issue. To disable unprivileged access to bpf(2) sycall set following sysctl(8) variable:

# sysctl -w kernel.unprivileged_bpf_disabled=1

Comment 2 Prasad J Pandit 2020-03-27 18:52:41 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and Red Hat Enterprise MRG 2.

Comment 3 Prasad J Pandit 2020-03-30 18:17:36 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1818941]

Comment 4 Product Security DevOps Team 2020-03-30 22:31:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8835

Comment 5 Fedora Update System 2020-04-05 00:16:33 UTC
FEDORA-2020-4ef0bcc89c has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Wade Mealing 2020-05-22 00:21:17 UTC
https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

^ says apparently 4.4+ we no longer need CAP_SYS_ADMIN to run ebpf by default anymore.. not sure if this is optional to configuration or not.

Comment 7 Wade Mealing 2020-05-22 00:26:54 UTC
kernel.unprivileged_bpf_disabled; if set to '1', normal users can't use eBPF


Note You need to log in before you can comment on or make changes to this bug.