Bug 2226783 (CVE-2023-39191, ZDI-CAN-19399) - CVE-2023-39191 kernel: eBPF: insufficient stack type checks in dynptr
Summary: CVE-2023-39191 kernel: eBPF: insufficient stack type checks in dynptr
Keywords:
Status: NEW
Alias: CVE-2023-39191, ZDI-CAN-19399
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2227282 2227283 2227284 2227285 2227286 2242087
Blocks: 2225771
TreeView+ depends on / blocked
 
Reported: 2023-07-26 14:04 UTC by Mauro Matteo Cascella
Modified: 2024-02-05 17:04 UTC (History)
53 users (show)

Fixed In Version: kernel 6.3-rc1
Doc Type: If docs needed, set a value
Doc Text:
An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6835 0 None None None 2023-11-09 07:11:09 UTC
Red Hat Product Errata RHBA-2024:0688 0 None None None 2024-02-05 17:04:20 UTC
Red Hat Product Errata RHSA-2023:6583 0 None None None 2023-11-07 08:20:45 UTC
Red Hat Product Errata RHSA-2024:0381 0 None None None 2024-01-23 17:50:37 UTC
Red Hat Product Errata RHSA-2024:0439 0 None None None 2024-01-24 16:35:57 UTC
Red Hat Product Errata RHSA-2024:0448 0 None None None 2024-01-24 16:37:53 UTC

Description Mauro Matteo Cascella 2023-07-26 14:04:59 UTC
BPF recently supported a new feature, dynptr (https://lwn.net/Articles/895885). An improper input validation issue was found in dynptr, potentially leading to local privilege escalation. This flaw requires CAP_BPF to be exploited.

Comment 14 Mauro Matteo Cascella 2023-10-04 10:19:24 UTC
Upstream patch:
https://lore.kernel.org/all/20230121002241.2113993-1-memxor@gmail.com/

Comment 15 Mauro Matteo Cascella 2023-10-04 10:22:35 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2242087]

Comment 16 Mauro Matteo Cascella 2023-10-04 17:12:37 UTC
ZDI security advisory:
https://www.zerodayinitiative.com/advisories/ZDI-CAN-19399

Comment 17 Justin M. Forbes 2023-10-05 14:23:12 UTC
This was fixed for Fedora with the 6.2.3 stable kernel updates.

Comment 18 errata-xmlrpc 2023-11-07 08:20:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583

Comment 19 errata-xmlrpc 2024-01-23 17:50:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0381 https://access.redhat.com/errata/RHSA-2024:0381

Comment 20 errata-xmlrpc 2024-01-24 16:35:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0439 https://access.redhat.com/errata/RHSA-2024:0439

Comment 21 errata-xmlrpc 2024-01-24 16:37:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0448 https://access.redhat.com/errata/RHSA-2024:0448


Note You need to log in before you can comment on or make changes to this bug.