Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 24 Dec 2017 09:23:15 +0100
From: Salvatore Bonaccorso <>
Subject: Re: Linux >=4.9: eBPF memory corruption bugs


Debian issued an update yesterday, an while preparing the fixes three
more CVEs were requested which are related:



    Alexei Starovoitov discovered that the Extended BPF verifier
    ignored unreachable code, even though it would still be processed
    by JIT compilers.  This could possibly be used by local users for
    denial of service.  It also increases the severity of bugs in
    determining unreachable code.


    Jann Horn discovered that the Extended BPF verifier did not
    correctly model pointer arithmetic on the stack frame pointer.
    A local user can use this for privilege escalation.

This 'fixes' 7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (introduced in
4.9.28) which was 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 (4.12-rc1) in
mainline. Quoting the message from Jann: This is a fix specifically for
the v4.9 stable tree because the mainline code looks very different at
this point."


    Jann Horn discovered that the Extended BPF verifier could fail to
    detect pointer leaks from conditional code.  A local user could
    use this to obtain sensitive information in order to exploit
    other vulnerabilities.

Only reference so far:

Quoting the commit/patch description:

> This was fixed differently upstream, but the code around here was
> largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
> value tracking".  The bug can be detected by the bpf/verifier sub-test
> "pointer/scalar confusion in state equality check (way 1)".

and further he stated:

The upstream fix is definitely post-4.14, probably "bpf: don't prune
branches when a scalar is replaced with a pointer", but no bisect was
done to confirm, so this question is still open.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ