oss-sec mailing list archives
CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability
From: Steve Beattie <steve () nxnw org>
Date: Mon, 30 Mar 2020 09:36:24 -0700
[re-sending, apologies if a prior version makes it to the list.] Manfred Paul, as part of the ZDI pwn2own competition, demonstrated that a flaw existed in the bpf verifier for 32bit operations. This was introduced in commit: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") The result is that register bounds were improperly calculated, allowing out-of-bounds reads and writes to occur. This issue affects 5.5 kernels, and was backported to 5.4-stable as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf maintainers recommend reverting the patch for stable releases: https://lore.kernel.org/bpf/20200330160324.15259-1-daniel () iogearbox net/T/ This bpf functionality is available to unprivileged users unless the kernel.unprivileged_bpf_disabled sysctl is set to 1. This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780). https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835.html -- Steve Beattie <sbeattie () ubuntu com> http://NxNW.org/~steve/
Attachment:
signature.asc
Description:
Current thread:
- CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability Steve Beattie (Mar 30)