Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 May 2021 14:55:49 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-3489 - Linux kernel eBPF RINGBUF map oversized allocation

It was discovered that eBPF RINGBUF bpf_ringbuf_reserve did not check
that the allocated size was smaller than the ringbuf size.

Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro's Zero Day
Initiative discovered that this vulnerability could be turned into
out-of-bounds writes in the kernel. This has been originally reported as
ZDI-CAN-13586, and assigned CVE-2021-3489.

It was introduced by commit 457f44363a88 ("bpf: Implement BPF ring buffer
and verifier support for it"), so affects any kernels later than 5.8-rc1.
It was not backported to any upstream LTS kernel.

The proposed fix is that the allocating size cannot be larger than the
ringbuf size. Also, in order to prevent other exploits that change the
producer pointer or record headers, deny writable maps of those pages, as
was documented and is used by libbpf.

This is fixed by the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea

The commit below is also helpful in preventing other exploits:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=04ea3086c4d73da7009de1e84962a904139af219

And the following commit to bpf selftests is useful for validating the above fix:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=98a34e93da83e50e197584c7c362668bf12c1d54

Cascardo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.