Bug 1964028 (CVE-2021-31440) - CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF programs
Summary: CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF pro...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31440
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1966195 1966196 1966197 1966198 1964029 1965938 1965939
Blocks: 1964030
TreeView+ depends on / blocked
 
Reported: 2021-05-24 14:57 UTC by Marian Rehak
Modified: 2021-11-09 21:24 UTC (History)
40 users (show)

Fixed In Version: kernel 5.13 rc1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking unsigned 32-bit instructions in an eBPF program occurs.. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2021-11-09 21:24:30 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:23:27 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:26:50 UTC

Description Marian Rehak 2021-05-24 14:57:43 UTC 
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

External Reference:

https://www.zerodayinitiative.com/advisories/ZDI-21-503/

Upstream Fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=10bf4e83167cc68595b85fd73bb91e8f2c086e36
Comment 1 Marian Rehak 2021-05-24 14:58:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1964029]
Comment 2 Justin M. Forbes 2021-05-24 16:24:14 UTC 
This was fixed for Fedora with the 5.11.21 stable kernel updates.
Comment 19 errata-xmlrpc 2021-11-09 17:23:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 20 errata-xmlrpc 2021-11-09 18:26:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Comment 21 Product Security DevOps Team 2021-11-09 21:24:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31440
Note You need to log in before you can comment on or make changes to this bug.