<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Steve Beattie <steve () nxnw org>
Date: Mon, 30 Mar 2020 09:36:24 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
[re-sending, apologies if a prior version makes it to the list.]
Manfred Paul, as part of the ZDI pwn2own competition, demonstrated
that a flaw existed in the bpf verifier for 32bit operations. This
was introduced in commit:
581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
The result is that register bounds were improperly calculated,
allowing out-of-bounds reads and writes to occur.
This issue affects 5.5 kernels, and was backported to 5.4-stable
as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf
maintainers recommend reverting the patch for stable releases:
https://lore.kernel.org/bpf/20200330160324.15259-1-daniel () iogearbox net/T/
This bpf functionality is available to unprivileged users unless the
kernel.unprivileged_bpf_disabled sysctl is set to 1.
This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780).
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835.html
--
Steve Beattie
<sbeattie () ubuntu com>
http://NxNW.org/~steve/
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability Steve Beattie (Mar 30)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->