Bug 2124061 - kernel: eBPF verifier bug: Mishandling in release_reg_references() cause a PTR leak vulnerability
Summary: kernel: eBPF verifier bug: Mishandling in release_reg_references() cause a PT...
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2151552 2151560 2151561 2151562 2151563
Blocks: 2109540
TreeView+ depends on / blocked
 
Reported: 2022-09-04 11:17 UTC by Alex
Modified: 2023-07-07 08:32 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw possible leak of data in the Linux kernel's BPF subsystem was found in the way user triggers release_reg_references() of BPF in the way that release fails. A local user could use this flaw to get unprivileged access to some data or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2022-09-04 11:17:44 UTC 
A flaw found in the Linux Kernel in kernel/bpf/verifier.c.
Leak of data from pointer possible because of the possibility to call BPF_FUNC_ringbuf_discard after BPF_FUNC_ringbuf_reserve where SCALAR_VALUE assigned to data previously contained a pointer value at runtime.

Reference:
https://lore.kernel.org/bpf/8f4c3e52-ce86-cbfc-5e76-884596ec11d7@fb.com/
Comment 1 Alex 2022-12-07 13:50:45 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2151552]
Note You need to log in before you can comment on or make changes to this bug.