Bug 1528516 (CVE-2017-16996) - CVE-2017-16996 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
Summary: CVE-2017-16996 kernel: memory corruption caused by BPF verifier bugs can allo...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-16996
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1528517 1528637
Blocks: 1528364
TreeView+ depends on / blocked
 
Reported: 2017-12-22 02:27 UTC by Sam Fowler
Modified: 2019-09-29 14:28 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:38 UTC


Attachments (Terms of Use)

Description Sam Fowler 2017-12-22 02:27:44 UTC
Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.

An unprivileged user could use this flaw to escalate their privileges on a system.

Upstream patch
--------------
  -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30

References:
-----------
  -> http://seclists.org/oss-sec/2017/q4/429
  -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16996
  -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16996
  -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

Mitigation:
-----------
  # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

Comment 1 Sam Fowler 2017-12-22 02:28:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1528517]

Comment 6 Eric Christensen 2018-01-02 13:30:28 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 7 Jeremy Cline 2018-01-11 19:07:42 UTC
This was fixed in Fedora in kernel-4.14.11 which pushed to stable on January 4,
2018

Comment 8 Product Security DevOps Team 2019-07-12 13:04:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-16996


Note You need to log in before you can comment on or make changes to this bug.