Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFzhf4r3C=hqrH_yXVQExeQV5iqrdim7kp-NBDTm6FmSCicbeQ@mail.gmail.com>
Date: Wed, 26 May 2021 23:09:05 +0100
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2021-33200] Linux kernel enforcing incorrect limits for pointer
 arithmetic operations by BPF verifier can be abused to perform out-of-bounds
 reads and writes in kernel memory

An issue has been discovered in the Linux kernel that can be abused by
unprivileged local users to escalate privileges.

The issue is with how the BPF verifier computes limits to enforce on
the pointer arithmetic operations in BPF programs. In a particular
scenario these limits are computed incorrectly. When any incorrect
limits are enforced, performing the pointer arithmetic operation may
lead to out-of-bounds reads and writes in the kernel memory.

I developed PoCs that allow unprivileged local users to examine and
modify critical data structures in the kernel memory. It is possible,
for example, to reliably hijack control flow.

One of these PoCs has been shared privately with <security@...nel.org>
to assist with fix development.

The buggy computation was introduced with the commit
7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 ("bpf: Tighten speculative
pointer arithmetic mask").

The patches are available from BPF subsystem public git repository.
The full patch series is as follows:

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=3d0220f6861d713213b015b582e9f21e5b28d2e0
* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=bb01a1bba579b4b1c5566af24d95f1767859771e
* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=a7036191277f9fa68d92f2071ddc38c09b1e5ee5

# Discoverers

Piotr Krysiuk <piotras@...il.com>

# References

CVE-2021-33200 (reserved via https://cveform.mitre.org/)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.