Bug 1912683 (CVE-2021-20194) - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Summary: CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Keywords:
Status: NEW
Alias: CVE-2021-20194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1918724 1918726 1926781
Blocks: 1911540 1926997
TreeView+ depends on / blocked
 
Reported: 2021-01-05 07:53 UTC by Dhananjay Arunesh
Modified: 2021-03-29 06:19 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw buffer overflow in the Linux kernel BPF subsystem was found in the way user running BPF script calling getsockopt. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-01-05 07:53:19 UTC
There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.

Comment 1 Alex 2021-01-05 09:09:09 UTC
Acknowledgments:

Name: Loris Reiff

Comment 6 Petr Matousek 2021-01-14 12:27:08 UTC
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.

Comment 10 Alex 2021-02-09 13:00:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1926781]

Comment 12 Alex 2021-03-03 18:54:11 UTC
Mitigation:

As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1
This is actual only starting from Red Hat Enterprise Linux 8.

Comment 13 Jiri Benc 2021-03-29 06:19:12 UTC
(In reply to Alex from comment #12)
> As a temporary solution set the following sysctl:
> kernel.unprivileged_bpf_disabled = 1
> This is actual only starting from Red Hat Enterprise Linux 8.

In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)


Note You need to log in before you can comment on or make changes to this bug.