Bug 1912683 (CVE-2021-20194) - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Summary: CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1951557 1918724 1918726 1926781
Blocks: 1911540 1926997
TreeView+ depends on / blocked
 
Reported: 2021-01-05 07:53 UTC by Dhananjay Arunesh
Modified: 2021-11-09 18:23 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw buffer overflow in the Linux kernel BPF subsystem was found in the way user running BPF script calling getsockopt. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2021-11-08 13:46:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:21:26 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:23:12 UTC

Description Dhananjay Arunesh 2021-01-05 07:53:19 UTC 
There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
Comment 1 Alex 2021-01-05 09:09:09 UTC 
Acknowledgments:

Name: Loris Reiff
Comment 6 Petr Matousek 2021-01-14 12:27:08 UTC 
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.
Comment 10 Alex 2021-02-09 13:00:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1926781]
Comment 12 Alex 2021-03-03 18:54:11 UTC 
Mitigation:

As a temporary solution set the following sysctl: kernel.unprivileged_bpf_disabled = 1
This is actual only starting from Red Hat Enterprise Linux 8.
Comment 13 Jiri Benc 2021-03-29 06:19:12 UTC 
(In reply to Alex from comment #12)
> As a temporary solution set the following sysctl:
> kernel.unprivileged_bpf_disabled = 1
> This is actual only starting from Red Hat Enterprise Linux 8.

In RHEL 8, unprivileged_bpf_disabled is set to 1 by default. (Moreover, if it's forced to 0, the kernel gets tainted and unsupported.)
Comment 25 errata-xmlrpc 2021-11-09 17:21:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 26 errata-xmlrpc 2021-11-09 18:23:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Note You need to log in before you can comment on or make changes to this bug.