Bug 1940627 (CVE-2020-27170) - CVE-2020-27170 kernel: Speculation on pointer arithmetic against bpf_context pointer
Summary: CVE-2020-27170 kernel: Speculation on pointer arithmetic against bpf_context ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1951613 1951614 1951615 1951616 1940839 1942688 1942689 1942690 1942691 1942692 1949839
Blocks: 1940628
TreeView+ depends on / blocked
 
Reported: 2021-03-18 18:40 UTC by Pedro Sampaio
Modified: 2022-05-05 14:01 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernels eBPF verification code. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can use the eBPF verifier to abuse a spectre like flaw where they can infer all system memory.
Clone Of:
Environment:
Last Closed: 2021-06-09 03:03:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2362 0 None None None 2021-06-09 11:51:55 UTC
Red Hat Product Errata RHSA-2021:2314 0 None None None 2021-06-08 22:31:41 UTC
Red Hat Product Errata RHSA-2021:2316 0 None None None 2021-06-08 22:33:14 UTC

Description Pedro Sampaio 2021-03-18 18:40:19 UTC
Speculation on pointer arithmetic against bpf_context pointer allows unprivileged local users to leak content of kernel memory.

# Bug Fix

The minimal fix is:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ]

However it is recommended to use the whole series that also includes
fix for another similar vulnerability reported at the same time and
improvements of the affected code:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ]
* bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ]
* bpf: Simplify alu_limit masking for pointer arithmetic [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea ]
* bpf: Add sanity check for upper ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ]
* bpf, selftests: Fix up some test_verifier cases for unprivileged [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ]

Comment 1 msiddiqu 2021-03-19 10:28:35 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1940839]

Comment 4 Alex 2021-03-24 16:32:41 UTC
Mitigation:

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl.   This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.
For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

# cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.

Comment 15 errata-xmlrpc 2021-06-08 22:31:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2314 https://access.redhat.com/errata/RHSA-2021:2314

Comment 16 errata-xmlrpc 2021-06-08 22:33:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2316 https://access.redhat.com/errata/RHSA-2021:2316

Comment 17 Product Security DevOps Team 2021-06-09 03:03:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27170


Note You need to log in before you can comment on or make changes to this bug.