Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20210511175549.GK12149@mussarela>
Date: Tue, 11 May 2021 14:55:49 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-3489 - Linux kernel eBPF RINGBUF map oversized allocation

It was discovered that eBPF RINGBUF bpf_ringbuf_reserve did not check
that the allocated size was smaller than the ringbuf size.

Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro's Zero Day
Initiative discovered that this vulnerability could be turned into
out-of-bounds writes in the kernel. This has been originally reported as
ZDI-CAN-13586, and assigned CVE-2021-3489.

It was introduced by commit 457f44363a88 ("bpf: Implement BPF ring buffer
and verifier support for it"), so affects any kernels later than 5.8-rc1.
It was not backported to any upstream LTS kernel.

The proposed fix is that the allocating size cannot be larger than the
ringbuf size. Also, in order to prevent other exploits that change the
producer pointer or record headers, deny writable maps of those pages, as
was documented and is used by libbpf.

This is fixed by the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea

The commit below is also helpful in preventing other exploits:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=04ea3086c4d73da7009de1e84962a904139af219

And the following commit to bpf selftests is useful for validating the above fix:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=98a34e93da83e50e197584c7c362668bf12c1d54

Cascardo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.