There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
Name: Loris Reiff
This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1926781]
As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1
This is actual only starting from Red Hat Enterprise Linux 8.
(In reply to Alex from comment #12)
> As a temporary solution set the following sysctl:
> kernel.unprivileged_bpf_disabled = 1
> This is actual only starting from Red Hat Enterprise Linux 8.
In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)