There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
Acknowledgments: Name: Loris Reiff
Statement: This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1926781]
Mitigation: As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1 This is actual only starting from Red Hat Enterprise Linux 8.
(In reply to Alex from comment #12) > As a temporary solution set the following sysctl: > kernel.unprivileged_bpf_disabled = 1 > This is actual only starting from Red Hat Enterprise Linux 8. In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356