Speculation on pointer arithmetic against bpf_context pointer allows unprivileged local users to leak content of kernel memory. # Bug Fix The minimal fix is: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] However it is recommended to use the whole series that also includes fix for another similar vulnerability reported at the same time and improvements of the affected code: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] * bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] * bpf: Simplify alu_limit masking for pointer arithmetic [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea ] * bpf: Add sanity check for upper ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ] * bpf, selftests: Fix up some test_verifier cases for unprivileged [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ]
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1940839]
Mitigation: The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw. A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2314 https://access.redhat.com/errata/RHSA-2021:2314
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2316 https://access.redhat.com/errata/RHSA-2021:2316
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27170