A vulnerability was found in the Linux Kernel in kernel/bpf/verifier.c in retrieve_ptr_limit that computes the 'size' of the valid memory 'ptr_limit' for registers ('stack' and 'map_value') for the purpose of bound checks. In this flaw there was an off-by-one for the area size, which may lead to an incorrect mask creation to the left, and thus incorrect arithmetic operation in the non-speculative domain. In this flaw a local attacker, with a special user privilege 'CAP_SYS_ADMIN' (Moderate impact flaw) may leak the kernel internal information, and may even cause a denial-of-service problem. Additional Information: # Bug Fix The minimal fix is: * bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] However it is recommended to use the whole series that also includes fix for another similar vulnerability reported at the same time and improvements of the affected code: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] * bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] * bpf: Simplify alu_limit masking for pointer arithmetic [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea ] * bpf: Add sanity check for upper ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ] * bpf, selftests: Fix up some test_verifier cases for unprivileged [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ]
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1940838]
Acknowledgments: Name: Piotr Krysiuk <piotras>
Mitigation: The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Statement: The default Red Hat Enterprise Linux kernel differs from the upstream, that prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. The setting of 1 would mean that unprivileged users can not use eBPF (which is a default setting), and this mitigating the flaw. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space, and may even cause a denial-of-service problem.
(In reply to Pedro Sampaio from comment #0) > The minimal fix is: > > * bpf: Fix off-by-one for area size in creating mask to left [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] > > However it is recommended to use the whole series that also includes > fix for another similar vulnerability reported at the same time and > improvements of the affected code: > > * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] > * bpf: Fix off-by-one for area size in creating mask to left [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] > * bpf: Simplify alu_limit masking for pointer arithmetic [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=b5871dca250cd391885218b99cc015aca1a51aea ] > * bpf: Add sanity check for upper ptr_limit [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ] > * bpf, selftests: Fix up some test_verifier cases for unprivileged [ > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/ > ?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ] hi this is same set of commits like for BZ1940627, which is already on the way to be merged how should I close this one? thanks, jirka
Hello Jirka, thanks you for bringing this to us, researcher in this category of flaw has a multiple recommended patches, among which CVE-2020-27170 and CVE-2020-27171 were recorded. https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 Subject: bpf: Prohibit alu ops for pointer types not defining ptr_limit https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 Subject: bpf: Fix off-by-one for area size in creating mask to left Since this both patch was purposed to streamline error propagation on ptr_limit in kernel/bpf/verifier.c for two different functions sanitize_ptr_alu() and retrieve_ptr_limit() with a minimal and absolute fix suggested as below. We request engineering view on this as to consider this as a same problem with multiple suggestions or a different a bug. ************************* The minimal fix is: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] However it is recommended to use the whole series that also includes fix for another similar vulnerability reported at the same time and improvements of the affected code: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] * bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] * bpf: Simplify alu_limit masking for pointer arithmetic [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea ] * bpf: Add sanity check for upper ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ] * bpf, selftests: Fix up some test_verifier cases for unprivileged [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ] ****************************** In case this both flaw is considered to be fixing the same problem, consider closing this as duplicate. Regards, Rohit
(In reply to Rohit Keshri from comment #12) ... > In case this both flaw is considered to be fixing the same problem, consider > closing this as duplicate. hum, I don't seem to have rights to close this
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27171