The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. Reference: https://www.openwall.com/lists/oss-security/2021/03/23/2 Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b00f1b78809
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1942669]
This was fixed for Fedora with the 5.10.19 stable kernel updates.
Mitigation: The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Statement: This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.