Bug 1529123 (CVE-2017-17863) - CVE-2017-17863 kernel: integer overflow in static int check_alu_op function in bpf/verifier.c
Summary: CVE-2017-17863 kernel: integer overflow in static int check_alu_op function i...
Status: CLOSED NOTABUG
Alias: CVE-2017-17863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171223,repor...
Keywords: Security
Depends On: 1529125 1535005
Blocks: 1528364
TreeView+ depends on / blocked
 
Reported: 2017-12-26 14:33 UTC by Pedro Sampaio
Modified: 2019-06-08 22:34 UTC (History)
44 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-08 03:34:56 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2017-12-26 14:33:08 UTC
kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.

References:

https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch?h=stretch-security
https://www.spinics.net/lists/stable/msg206985.html

Comment 1 Pedro Sampaio 2017-12-26 14:48:32 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1529125]

Comment 3 Prasad J Pandit 2018-01-18 05:24:36 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 5 Jiri Olsa 2019-01-09 09:02:53 UTC
(In reply to Pedro Sampaio from comment #0)
> kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not
> check the relationship between pointer values and the BPF stack, which
> allows local users to cause a denial of service (integer overflow or invalid
> memory access) or possibly have unspecified other impact.
> 
> References:
> 
> https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/
> all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch?h=stretch-
> security
> https://www.spinics.net/lists/stable/msg206985.html

based on info from BZ1529120 is the requested 4.9 patch:
  bpf: reject out-of-bounds stack pointer calculation

counterpart to upstream:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=179d1c5602997fef5a940c6ddcf31212cbfebd14.

please let me know if that's correct or provide nother upstream patch

thanks,
jirka

Comment 6 Pedro Sampaio 2019-01-09 17:03:49 UTC
Yes, I could confirm that the 4.9 patch aims to reflect the same behavior of this counterpart patch on the newer upstream code.


Note You need to log in before you can comment on or make changes to this bug.