oss-sec mailing list archives
CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability
From: tr3e wang <tr3e.wang () gmail com>
Date: Tue, 11 Jan 2022 20:00:08 +0800
Hi all, This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. BE AWARE, unprivileged bpf is disabled by default in most distros. *Affected Version* Linux kernel 5.8 or later (For now, 5.8 - 5.16) *Root Cause Analysis* eBPF provides some helper functions, and the verifier checks whether it is used properly according to bpf_func_proto. For some helper functions require a PTR_TO_MEM as an argument, the verifier MUST know the memory size through the next argument to prevent OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n4579 ) However, bpf_ringbuf_submit and bpf_ringbuf_discard do not follow the aboving rule. the verifier never know the size of memory passing into these two helper functions, resulting in OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/ringbuf.c?h=v5.10.83#n423 ) *Exploit Code* Exploit code will be delayed for 7 days and will be posted at 12:00 UTC, Jan 18, 2022 *Mitigations* set kernel.unprivileged_bpf_disabled to 1 BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros. *Credits* tr3e of SecCoder Security Lab Best Regards, tr3e
Current thread:
- CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 11)
- Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 18)