An out-of-bounds access issue was found in the eBPF code verifier implemented in the Linux kernel. It occurs due to incorrect register bounds calculation while checking 32bit instructions in a eBPF program.
An unprivileged user/process able to execute eBPF programs could use this flaw to crash the kernel resulting in DoS or potentially gain root privileges on the system.
The Linux kernel versions as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and Red Hat Enterprise Linux MRG 2 are not affected because they did not backport the commit
581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
which introduced this issue. Also by default unprivileged user are not allowed to access bpf(2) syscall.
Fedora kernel allows unprivileged users to access to bpf(2) syscall by default and is prone to this issue. To disable unprivileged access to bpf(2) sycall set following sysctl(8) variable:
# sysctl -w kernel.unprivileged_bpf_disabled=1
This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and Red Hat Enterprise MRG 2.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1818941]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
FEDORA-2020-4ef0bcc89c has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
^ says apparently 4.4+ we no longer need CAP_SYS_ADMIN to run ebpf by default anymore.. not sure if this is optional to configuration or not.
kernel.unprivileged_bpf_disabled; if set to '1', normal users can't use eBPF