CVE request: Linux kernel - bpf jit optimization flaw can panic kenrel.

[Wade Mealing <wmealing () redhat com>]

Gday,
 
I would like to request a CVE for a flaw in the BPF code in the Linux kernel. 
 
The kernels BPF JIT can be used to create a packet filter like mechanism
that can be attached to a socket with the setsockopt() call.  It requires 
JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable )
 
The kernel can turn BPF instructions into native hardware instructions using 
a JIT compiler. In the problematic case, the compiler fails to optimise a set 
of specially crafted instructions. This creates a problem when this faulty
instruction list is used during filtering and the CPU can execute an invalid
instruction (in receive_pkt).
 
This can be triggered as an non-root user, as they can start a server on a 
ephemeral port and the packet filter with a specially crafted filter.
 
These incorrect instructions will run when the server receives a packet and execute 
the buggy instructions.
 
I'm unsure if this can lead to anything more than a DoS, however that
is something I'll try to determine.
 
This is already fixed upstream in [1], with a regression test case in [2].
 
Thanks,
 
Wade Mealing
Red Hat Product Security


References:
1] https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be
2] https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=bde28bc6ad0c575f8b4eebe8cd27e36d6c3b09c6
3] https://bugzilla.redhat.com/show_bug.cgi?id=1233615