Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210323170306.GA2473828@nxnw.org>
Date: Tue, 23 Mar 2021 10:03:06 -0700
From: Steve Beattie <steve.beattie@...onical.com>
To: oss-security@...ts.openwall.com
Cc: ONE K <n4ke4mry@...il.com>
Subject: [CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation

Hello,

CVE-2021-3444 - Linux kernel bpf verifier incorrect mod32 truncation

Recently, it was discovered that bpf verifier in the Linux kernel
did not properly handle mod32 destination register truncation when
the source register was known to be 0. De4dCr0w of 360 Alpha Lab
discovered that this vulnerability could be turned into out-of-bounds
reads in the kernel, and out-of-bounds writes can not be ruled out.

It was fixed in upstream commit:

  9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero")

and also landed in the 5.11.2, 5.10.19, and 5.4.101 stable kernels.

The commit itself references

  468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") (v4.15-rc5)

as introducing the issue, but further analysis seemed to indicate that

  f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception") (v4.16-rc1)

was also necessary to take advantage of the vulnerability.

Thanks.

-- 
Steve Beattie
<sbeattie@...ntu.com>

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.