Bug 1993190 (CVE-2021-38166) - CVE-2021-38166 kernel: integer overflow and out-of-bounds write in kernel/bpf/hashtab.c when many elements are placed in a single bucket
Summary: CVE-2021-38166 kernel: integer overflow and out-of-bounds write in kernel/bpf...
Alias: CVE-2021-38166
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1993191 1994186 1994187 1994188
Blocks: 1993192
TreeView+ depends on / blocked
Reported: 2021-08-12 13:56 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:34 UTC (History)
44 users (show)

Fixed In Version: kernel 5.14-rc6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. An integer overflow can allow an out-of-bounds write when many elements are placed in a hash's bucket. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Last Closed: 2021-11-08 02:30:34 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-08-12 13:56:12 UTC
A flaw in the Linux kernels bpf implementation allows a local attacker to create an integer overflow resulting in an out-of-bounds write when a hashtable bucket has too many elements inserted.  This is limited to users who are able to use the bpf syscall, and is not enabeled by default on Red Hat Enterprise Linux kernels.

By default there is no action required, if the system has been configured to allow for unprivileged users to use the ebpf subsystem this can be rectified by issuing the command:

# sysctl -w kernel.unprivileged_bpf_disabled=1

To make these changes persistent between boots, insert the same rule using the mechanisms outlined in the man pages for sysctl.d and sysctl.conf

Reference and upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-08-12 13:56:39 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1993191]

Note You need to log in before you can comment on or make changes to this bug.