Bug 1640596 (CVE-2018-18445) - CVE-2018-18445 kernel: Faulty computation of numberic bounds in the BPF verifier
Summary: CVE-2018-18445 kernel: Faulty computation of numberic bounds in the BPF verifier
Status: CLOSED ERRATA
Alias: CVE-2018-18445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181005,repor...
Keywords: Security
Depends On: 1641388 1641390 1638044 1641387 1641389 1641391 1641392
Blocks: 1640597
TreeView+ depends on / blocked
 
Reported: 2018-10-18 11:33 UTC by Andrej Nemec
Modified: 2019-06-11 11:13 UTC (History)
48 users (show)

(edit)
A security flaw was found in the Linux kernel in the adjust_scalar_min_max_vals() function in kernel/bpf/verifier.c. A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because this function mishandles 32-bit right shifts. A local unprivileged user cannot leverage this flaw, but as a privileged user ("root") this can lead to a system panic and a denial of service or other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:40:39 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0512 None None None 2019-03-13 22:58 UTC
Red Hat Product Errata RHSA-2019:0514 None None None 2019-03-13 18:46 UTC

Description Andrej Nemec 2018-10-18 11:33:58 UTC
A security flaw was found in the Linux kernel in the adjust_scalar_min_max_vals() function in kernel/bpf/verifier.c. A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because this function mishandles 32-bit right shifts. A local unprivileged user cannot leverage this flaw, but as a privileged user ("root") this can lead to a system panic and a denial of service or other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1686

https://seclists.org/oss-sec/2018/q4/69

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b799207e1e1816b09e7a5920fbb2d5fcf6edd681

Comment 4 Vladis Dronov 2018-12-10 11:00:15 UTC
Note:

A local unprivileged user cannot leverage this flaw, as in the Red Hat Enterprise Linux eBPF-related operations are allowed for the privileged user ("root") only.

Comment 5 errata-xmlrpc 2019-03-13 18:46:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0514 https://access.redhat.com/errata/RHSA-2019:0514

Comment 6 errata-xmlrpc 2019-03-13 22:58:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0512 https://access.redhat.com/errata/RHSA-2019:0512


Note You need to log in before you can comment on or make changes to this bug.