Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 26 May 2021 23:09:05 +0100
From: Piotr Krysiuk <>
Subject: [CVE-2021-33200] Linux kernel enforcing incorrect limits for pointer
 arithmetic operations by BPF verifier can be abused to perform out-of-bounds
 reads and writes in kernel memory

An issue has been discovered in the Linux kernel that can be abused by
unprivileged local users to escalate privileges.

The issue is with how the BPF verifier computes limits to enforce on
the pointer arithmetic operations in BPF programs. In a particular
scenario these limits are computed incorrectly. When any incorrect
limits are enforced, performing the pointer arithmetic operation may
lead to out-of-bounds reads and writes in the kernel memory.

I developed PoCs that allow unprivileged local users to examine and
modify critical data structures in the kernel memory. It is possible,
for example, to reliably hijack control flow.

One of these PoCs has been shared privately with <>
to assist with fix development.

The buggy computation was introduced with the commit
7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 ("bpf: Tighten speculative
pointer arithmetic mask").

The patches are available from BPF subsystem public git repository.
The full patch series is as follows:


# Discoverers

Piotr Krysiuk <>

# References

CVE-2021-33200 (reserved via

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.