Date: Mon, 22 Jun 2015 22:13:14 -0400 (EDT) From: Wade Mealing <wmealing@...hat.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: CVE request: Linux kernel - bpf jit optimization flaw can panic kenrel. Gday, I would like to request a CVE for a flaw in the BPF code in the Linux kernel. The kernels BPF JIT can be used to create a packet filter like mechanism that can be attached to a socket with the setsockopt() call. It requires JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable ) The kernel can turn BPF instructions into native hardware instructions using a JIT compiler. In the problematic case, the compiler fails to optimise a set of specially crafted instructions. This creates a problem when this faulty instruction list is used during filtering and the CPU can execute an invalid instruction (in receive_pkt). This can be triggered as an non-root user, as they can start a server on a ephemeral port and the packet filter with a specially crafted filter. These incorrect instructions will run when the server receives a packet and execute the buggy instructions. I'm unsure if this can lead to anything more than a DoS, however that is something I'll try to determine. This is already fixed upstream in , with a regression test case in . Thanks, Wade Mealing Red Hat Product Security References: 1] https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be 2] https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=bde28bc6ad0c575f8b4eebe8cd27e36d6c3b09c6 3] https://bugzilla.redhat.com/show_bug.cgi?id=1233615
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ