Bug 1981954 (CVE-2021-3600) - CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod
Summary: CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3600
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874007 1981955 1983736 1983737 1983738 1983739 1983740 1983741
Blocks: 1981956
TreeView+ depends on / blocked
 
Reported: 2021-07-13 19:08 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:30 UTC (History)
45 users (show)

Fixed In Version: Kernel 5.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s eBPF verification code, where the eBPF 32-bit div/mod source register truncation could lead to out-of-bounds reads and writes. By default, accessing the eBPF verifier is only possible to privileged users with CAP_SYS_ADMIN. This flaw allows a local user who can run eBPF instructions to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-11-09 17:51:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:23:58 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:27:51 UTC

Description Guilherme de Almeida Suckevicz 2021-07-13 19:08:18 UTC 
It was discovered that eBPF 32-bit div/mod source register truncation could lead to out-of-bounds reads and writes in the kernel. It was introduced by commit 68fda450a7df ("bpf: fix 32-bit divide by zero"). It was first introduced in 4.15-rc9, but backported and applied to v4.14.y, v4.9.y and v4.4.y. However, this specific attack will not work on v4.4.y and v4.9.y kernels as pointer arithmetic is prohibited on those kernels. This was introduced by commit f1174f77b50c ("bpf/verifier: rework value tracking"), in v4.14-rc1. The fix is commit e88b2c6e5a4d ("bpf: Fix 32 bit src register truncation on div/mod"), introduced in v5.11. It was backported and applied on v5.10.y and v5.4.y, but not v4.19.y and v4.14.y.

Reference:
https://www.openwall.com/lists/oss-security/2021/06/23/1
Comment 1 Guilherme de Almeida Suckevicz 2021-07-13 19:09:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1981955]
Comment 2 Justin M. Forbes 2021-07-16 15:58:27 UTC 
This was fixed for Fedora with the 5.10.16 stable kernel updates.
Comment 6 errata-xmlrpc 2021-11-09 17:23:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 7 Product Security DevOps Team 2021-11-09 17:51:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3600
Comment 8 errata-xmlrpc 2021-11-09 18:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Note You need to log in before you can comment on or make changes to this bug.