Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 22:13:14 -0400 (EDT)
From: Wade Mealing <>
To: OSS Security List <>
Subject: CVE request: Linux kernel - bpf jit optimization flaw can panic

I would like to request a CVE for a flaw in the BPF code in the Linux kernel. 
The kernels BPF JIT can be used to create a packet filter like mechanism
that can be attached to a socket with the setsockopt() call.  It requires 
JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable )
The kernel can turn BPF instructions into native hardware instructions using 
a JIT compiler. In the problematic case, the compiler fails to optimise a set 
of specially crafted instructions. This creates a problem when this faulty
instruction list is used during filtering and the CPU can execute an invalid
instruction (in receive_pkt).
This can be triggered as an non-root user, as they can start a server on a 
ephemeral port and the packet filter with a specially crafted filter.
These incorrect instructions will run when the server receives a packet and execute 
the buggy instructions.
I'm unsure if this can lead to anything more than a DoS, however that
is something I'll try to determine.
This is already fixed upstream in [1], with a regression test case in [2].
Wade Mealing
Red Hat Product Security


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ