Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Jan 2022 20:00:08 +0800
From: tr3e wang <>
Cc: Daniel Borkmann <>
Subject: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

Hi all,

This vulnerability allows local attackers to escalate privileges on
affected installations of Linux Kernel. An attacker must first obtain the
ability to execute low-privileged code on the target system in order to
exploit this vulnerability.

The specific flaw exists within the handling of eBPF programs. The issue
results from the lack of proper validation of user-supplied eBPF programs
prior to executing them. An attacker can leverage this vulnerability to
escalate privileges and execute code in the context of the kernel.
BE AWARE, unprivileged bpf is disabled by default in most distros.

*Affected Version*

    Linux kernel 5.8 or later (For now, 5.8 - 5.16)

*Root Cause Analysis*

eBPF provides some helper functions, and the verifier checks whether it is
used properly according to bpf_func_proto.

For some helper functions require a PTR_TO_MEM as an argument, the verifier
MUST know the memory size through the next argument to prevent OOB.

However, bpf_ringbuf_submit and bpf_ringbuf_discard do not follow the
aboving rule. the verifier never know the size of memory passing into these
two helper functions, resulting in OOB.

*Exploit Code*

Exploit code will be delayed for 7 days and will be posted at 12:00 UTC,
Jan 18, 2022


set kernel.unprivileged_bpf_disabled to 1

BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros.


tr3e of SecCoder Security Lab

Best Regards,

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.