Bug 1640596 (CVE-2018-18445) - CVE-2018-18445 kernel: Faulty computation of numberic bounds in the BPF verifier
Summary: CVE-2018-18445 kernel: Faulty computation of numberic bounds in the BPF verifier
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-18445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1638044 Engineering1641387 Engineering1641388 Engineering1641389 Engineering1641390 Engineering1641391 Engineering1641392
Blocks: Embargoed1640597
TreeView+ depends on / blocked
 
Reported: 2018-10-18 11:33 UTC by Andrej Nemec
Modified: 2021-02-16 22:53 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A security flaw was found in the Linux kernel in the adjust_scalar_min_max_vals() function in kernel/bpf/verifier.c. A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because this function mishandles 32-bit right shifts. A local unprivileged user cannot leverage this flaw, but as a privileged user ("root") this can lead to a system panic and a denial of service or other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:40:39 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0512 0 None None None 2019-03-13 22:58:03 UTC
Red Hat Product Errata RHSA-2019:0514 0 None None None 2019-03-13 18:46:30 UTC

Description Andrej Nemec 2018-10-18 11:33:58 UTC 
A security flaw was found in the Linux kernel in the adjust_scalar_min_max_vals() function in kernel/bpf/verifier.c. A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because this function mishandles 32-bit right shifts. A local unprivileged user cannot leverage this flaw, but as a privileged user ("root") this can lead to a system panic and a denial of service or other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1686

https://seclists.org/oss-sec/2018/q4/69

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b799207e1e1816b09e7a5920fbb2d5fcf6edd681
Comment 4 Vladis Dronov 2018-12-10 11:00:15 UTC 
Note:

A local unprivileged user cannot leverage this flaw, as in the Red Hat Enterprise Linux eBPF-related operations are allowed for the privileged user ("root") only.
Comment 5 errata-xmlrpc 2019-03-13 18:46:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0514 https://access.redhat.com/errata/RHSA-2019:0514
Comment 6 errata-xmlrpc 2019-03-13 22:58:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0512 https://access.redhat.com/errata/RHSA-2019:0512
Note You need to log in before you can comment on or make changes to this bug.