Bug 2010090 (CVE-2021-20320) - CVE-2021-20320 kernel: s390 eBPF JIT miscompilation issues fixes
Summary: CVE-2021-20320 kernel: s390 eBPF JIT miscompilation issues fixes
Keywords:
Status: NEW
Alias: CVE-2021-20320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2012561 2012691 2012692 2012693
Blocks: 2005824 2013145
TreeView+ depends on / blocked
 
Reported: 2021-10-03 15:58 UTC by Rohit Keshri
Modified: 2022-07-16 03:21 UTC (History)
41 users (show)

Fixed In Version: kernel 5.15 rc3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Rohit Keshri 2021-10-03 15:58:21 UTC
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel . In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.

Uncovered three miscompilation issues in the s390 eBPF JIT. They can be used by an unprivileged local user to circumvent the verifier and gain root privileges. This series fixes all 3; no new tests are required since Johan's tests will be integrated upstream.

- 2 fixes are for initial s390x eBPF JIT compiler backend implementation, v4.1+
- 1 fix v5.5+

https://lore.kernel.org/bpf/20210902185229.1840281-1-johan.almbladh@anyfinetworks.com/

Comment 1 Rohit Keshri 2021-10-10 09:50:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2012561]

Comment 9 Justin M. Forbes 2021-10-13 13:44:25 UTC
This was fixed for Fedora with the 5.14.7 stable kernel update.


Note You need to log in before you can comment on or make changes to this bug.