oss-sec mailing list archives
CVE request: Linux kernel - bpf jit optimization flaw can panic kenrel.
From: Wade Mealing <wmealing () redhat com>
Date: Mon, 22 Jun 2015 22:13:14 -0400 (EDT)
Gday, I would like to request a CVE for a flaw in the BPF code in the Linux kernel. The kernels BPF JIT can be used to create a packet filter like mechanism that can be attached to a socket with the setsockopt() call. It requires JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable ) The kernel can turn BPF instructions into native hardware instructions using a JIT compiler. In the problematic case, the compiler fails to optimise a set of specially crafted instructions. This creates a problem when this faulty instruction list is used during filtering and the CPU can execute an invalid instruction (in receive_pkt). This can be triggered as an non-root user, as they can start a server on a ephemeral port and the packet filter with a specially crafted filter. These incorrect instructions will run when the server receives a packet and execute the buggy instructions. I'm unsure if this can lead to anything more than a DoS, however that is something I'll try to determine. This is already fixed upstream in [1], with a regression test case in [2]. Thanks, Wade Mealing Red Hat Product Security References: 1] https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be 2] https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=bde28bc6ad0c575f8b4eebe8cd27e36d6c3b09c6 3] https://bugzilla.redhat.com/show_bug.cgi?id=1233615
Current thread:
- CVE request: Linux kernel - bpf jit optimization flaw can panic kenrel. Wade Mealing (Jun 22)
- Re: CVE request: Linux kernel - bpf jit optimization flaw can panic kenrel. cve-assign (Jun 22)