1528518 – (CVE-2017-16995) CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution

Bug 1528518 (CVE-2017-16995) - CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution

Summary: CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allo...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-16995
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1528519 1528638 1593283 1809768
Blocks:	1528364
TreeView+	depends on / blocked

Reported:	2017-12-22 02:32 UTC by Sam Fowler
Modified:	2021-02-25 22:16 UTC (History)
CC List:	44 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call.
Clone Of:
Environment:
Last Closed:	2019-07-12 13:04:40 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2017-12-22 02:32:29 UTC

Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.

An unprivileged user could use this flaw to escalate their privileges on a system.

Upstream patch
--------------
  -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30

References:
-----------
  -> http://seclists.org/oss-sec/2017/q4/429
  -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995
  -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
  -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

Mitigation:
-----------
  # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

Comment 1 Sam Fowler 2017-12-22 02:33:30 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1528519]

Comment 6 Eric Christensen 2018-01-02 13:32:32 UTC

Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 7 Jeremy Cline 2018-01-11 18:55:26 UTC

This was fixed in Fedora as kernel-4.14.11 which pushed to stable on January 4, 2018

Comment 9 Product Security DevOps Team 2019-07-12 13:04:40 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-16995

Note You need to log in before you can comment on or make changes to this bug.

airlied
ajax
aquini
bhu
blc
bskeggs
dhoward
ewk
fhrbata
hdegoede
hkrzesin
hwkernel-mgr
iboverma
ichavero
itamar
jarodwilson
jcline
jeremy
jforbes
jglisse
jkacur
john.j5live
jonathan
josef
jross
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
ppandit
rvrbovsk
skozina
steved
vdronov
williams