Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Steve Beattie <steve.beattie () canonical com>
Date: Tue, 23 Mar 2021 10:03:06 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
CVE-2021-3444 - Linux kernel bpf verifier incorrect mod32 truncation
Recently, it was discovered that bpf verifier in the Linux kernel
did not properly handle mod32 destination register truncation when
the source register was known to be 0. De4dCr0w of 360 Alpha Lab
discovered that this vulnerability could be turned into out-of-bounds
reads in the kernel, and out-of-bounds writes can not be ruled out.
It was fixed in upstream commit:
9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero")
and also landed in the 5.11.2, 5.10.19, and 5.4.101 stable kernels.
The commit itself references
468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") (v4.15-rc5)
as introducing the issue, but further analysis seemed to indicate that
f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception") (v4.16-rc1)
was also necessary to take advantage of the vulnerability.
Thanks.
--
Steve Beattie
<sbeattie () ubuntu com>
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation Steve Beattie (Mar 23)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->