Date: Tue, 23 Mar 2021 10:03:06 -0700 From: Steve Beattie <steve.beattie@...onical.com> To: oss-security@...ts.openwall.com Cc: ONE K <n4ke4mry@...il.com> Subject: [CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation Hello, CVE-2021-3444 - Linux kernel bpf verifier incorrect mod32 truncation Recently, it was discovered that bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. De4dCr0w of 360 Alpha Lab discovered that this vulnerability could be turned into out-of-bounds reads in the kernel, and out-of-bounds writes can not be ruled out. It was fixed in upstream commit: 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and also landed in the 5.11.2, 5.10.19, and 5.4.101 stable kernels. The commit itself references 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") (v4.15-rc5) as introducing the issue, but further analysis seemed to indicate that f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception") (v4.16-rc1) was also necessary to take advantage of the vulnerability. Thanks. -- Steve Beattie <sbeattie@...ntu.com> Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.