Bug 1942667 (CVE-2021-3444) - CVE-2021-3444 kernel: bpf verifier incorrect mod32 truncation
Summary: CVE-2021-3444 kernel: bpf verifier incorrect mod32 truncation
Alias: CVE-2021-3444
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1946619 1946620 1946621 1946622 1942669 1945049 1945050 1945051 1945052 1945053 1945057
Blocks: 1942668
TreeView+ depends on / blocked
Reported: 2021-03-24 17:43 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 15:43 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script uses mod32 destination register truncation when the source register was known to be 0. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Last Closed: 2021-11-09 15:41:55 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-24 17:43:20 UTC
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-03-24 17:45:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1942669]

Comment 2 Justin M. Forbes 2021-03-25 16:44:49 UTC
This was fixed for Fedora with the 5.10.19 stable kernel updates.

Comment 3 Alex 2021-03-25 16:46:02 UTC

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl.   This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.
For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

# cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

Comment 7 Alex 2021-03-31 09:59:10 UTC

This flaw is rated as having Moderate impact because of the need to have elevated privileges or non-standard configuration for running BPF script.

Note You need to log in before you can comment on or make changes to this bug.