Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 22:13:14 -0400 (EDT)
From: Wade Mealing <wmealing@...hat.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: CVE request: Linux kernel - bpf jit optimization flaw can panic
 kenrel.

Gday,
 
I would like to request a CVE for a flaw in the BPF code in the Linux kernel. 
 
The kernels BPF JIT can be used to create a packet filter like mechanism
that can be attached to a socket with the setsockopt() call.  It requires 
JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable )
 
The kernel can turn BPF instructions into native hardware instructions using 
a JIT compiler. In the problematic case, the compiler fails to optimise a set 
of specially crafted instructions. This creates a problem when this faulty
instruction list is used during filtering and the CPU can execute an invalid
instruction (in receive_pkt).
 
This can be triggered as an non-root user, as they can start a server on a 
ephemeral port and the packet filter with a specially crafted filter.
 
These incorrect instructions will run when the server receives a packet and execute 
the buggy instructions.
 
I'm unsure if this can lead to anything more than a DoS, however that
is something I'll try to determine.
 
This is already fixed upstream in [1], with a regression test case in [2].
 
Thanks,
 
Wade Mealing
Red Hat Product Security


References:
1] https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be
2] https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=bde28bc6ad0c575f8b4eebe8cd27e36d6c3b09c6
3] https://bugzilla.redhat.com/show_bug.cgi?id=1233615 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ