Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+eGCHaJ8Vcgm=+KqmFwmLd8BP+Vn8aos6RZzvbzHd544SdQZg@mail.gmail.com>
Date: Thu, 13 Jan 2022 16:21:09 +0800
From: tr3e wang <tr3e.wang@...il.com>
To: oss-security@...ts.openwall.com
Cc: Daniel Borkmann <daniel@...earbox.net>
Subject: Linux Kernel eBPF Improper Input Validation Vulnerability

Hi all,

This vulnerability allows local attackers to escalate privileges on
affected installations of Linux Kernel. An attacker must first obtain the
ability to execute low-privileged code on the target system in order to
exploit this vulnerability.

The specific flaw exists within the handling of eBPF programs. The issue
results from the lack of proper validation of user-supplied eBPF programs
prior to executing them. An attacker can leverage this vulnerability to
escalate privileges and execute code in the context of the kernel.
BE AWARE, unprivileged bpf is disabled by default in most distros.

*Affected Version*

    Linux Kernel 5.8 or later

*Root Cause Analysis*

The bpf verifier(kernel/bpf/verifier.c) did not properly restrict several
*_OR_NULL pointer types which allows these types to do pointer arithmetic.
This can be leveraged to bypass the verifier check and escalate privilege.
(see
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n6022
)

*Exploit Code*

Exploit code will be delayed for 5 days and will be posted at 12:00 UTC,
Jan 18, 2022

*Mitigations*

set kernel.unprivileged_bpf_disabled to 1

BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros.

*Credits*

tr3e of SecCoder Security Lab
Best,
tr3e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.