Bug 1957788 (CVE-2021-31829) - CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory
Summary: CVE-2021-31829 kernel: protection of stack pointer against speculative pointe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31829
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959857 1959858 1959859 1959860 1957789 1958068 1958069 1958070 1958071 1958072
Blocks: 1957790
TreeView+ depends on / blocked
 
Reported: 2021-05-06 13:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:22 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's eBPF verification code. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. This flaw allows a local user who can insert eBPF instructions, to use the eBPF verifier to abuse a spectre-like flaw and infer all system memory. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-11-09 20:25:37 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:22:26 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:25:11 UTC

Description Guilherme de Almeida Suckevicz 2021-05-06 13:37:11 UTC
Programs inserted by privileged users can run Privileged BPF programs running on affected systems can bypass the protection and execute speculative loads from the kernel stack. This can be abused to extract contents of the stack via side-channel. The extracted contents may include addresses of kernel structures that could be used to defeat Kernel Address Space Layout Randomization (KASLR) to facilitate the exploitation of other vulnerabilities.

Reference:
https://www.openwall.com/lists/oss-security/2021/05/04/4

Upstream patches:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=801c6058d14a82179a7ee17a4b532cac6fad067f

Comment 1 Guilherme de Almeida Suckevicz 2021-05-06 13:38:35 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1957789]

Comment 8 Wade Mealing 2021-05-10 02:53:19 UTC
Mitigation:

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

For the Red Hat Enterprise Linux 7 and 8 kernel  to confirm the current state, inspect the sysctl with the command:

# cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.

Comment 14 errata-xmlrpc 2021-11-09 17:22:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140

Comment 15 errata-xmlrpc 2021-11-09 18:25:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356

Comment 16 Product Security DevOps Team 2021-11-09 20:25:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31829


Note You need to log in before you can comment on or make changes to this bug.