Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+eGCHb3=V20Fh-dda20O6xtfBszuKmHnqSupsmrz_1Xuj3N4Q@mail.gmail.com>
Date: Tue, 11 Jan 2022 20:00:08 +0800
From: tr3e wang <tr3e.wang@...il.com>
To: oss-security@...ts.openwall.com
Cc: Daniel Borkmann <daniel@...earbox.net>
Subject: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

Hi all,

This vulnerability allows local attackers to escalate privileges on
affected installations of Linux Kernel. An attacker must first obtain the
ability to execute low-privileged code on the target system in order to
exploit this vulnerability.

The specific flaw exists within the handling of eBPF programs. The issue
results from the lack of proper validation of user-supplied eBPF programs
prior to executing them. An attacker can leverage this vulnerability to
escalate privileges and execute code in the context of the kernel.
BE AWARE, unprivileged bpf is disabled by default in most distros.

*Affected Version*

    Linux kernel 5.8 or later (For now, 5.8 - 5.16)

*Root Cause Analysis*

eBPF provides some helper functions, and the verifier checks whether it is
used properly according to bpf_func_proto.

For some helper functions require a PTR_TO_MEM as an argument, the verifier
MUST know the memory size through the next argument to prevent OOB.
(see
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n4579
)

However, bpf_ringbuf_submit and bpf_ringbuf_discard do not follow the
aboving rule. the verifier never know the size of memory passing into these
two helper functions, resulting in OOB.
(see
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/ringbuf.c?h=v5.10.83#n423
)

*Exploit Code*

Exploit code will be delayed for 7 days and will be posted at 12:00 UTC,
Jan 18, 2022

*Mitigations*

set kernel.unprivileged_bpf_disabled to 1

BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros.

*Credits*

tr3e of SecCoder Security Lab


Best Regards,
tr3e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.