Fedora Account System
Red Hat Associate
Red Hat Customer
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. Reference: https://www.openwall.com/lists/oss-security/2021/03/23/2 Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b00f1b78809
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1942669]
This was fixed for Fedora with the 5.10.19 stable kernel updates.
Mitigation: The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Statement: This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.