oss-sec mailing list archives
CVE Request: Linux: Incorrect branch fixups for eBPF allow arbitrary read
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 14 Feb 2016 15:52:17 +0100
Hi We would like to request a CVE for the following issue fixed in Linux with the following commit, which as well contains an analysis: https://git.kernel.org/linus/a1b14d27ed0965838350f1377ff97c93ee383492 (will be in v4.5-rc4):
When ctx access is used, the kernel often needs to expand/rewrite instructions, so after that patching, branch offsets have to be adjusted for both forward and backward jumps in the new eBPF program, but for backward jumps it fails to account the delta. Meaning, for example, if the expansion happens exactly on the insn that sits at the jump target, it doesn't fix up the back jump offset.
The issue was introduced in v4.1-rc1 with commit https://git.kernel.org/linus/9bac3d6d548e5cc925570b263f35b70a00a00ffd . Could you please assign a CVE for this issue? Regards, Salvatore
Current thread:
- CVE Request: Linux: Incorrect branch fixups for eBPF allow arbitrary read Salvatore Bonaccorso (Feb 14)
- Re: CVE Request: Linux: Incorrect branch fixups for eBPF allow arbitrary read cve-assign (Feb 14)