Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 May 2021 14:55:49 -0300
From: Thadeu Lima de Souza Cascardo <>
Subject: CVE-2021-3489 - Linux kernel eBPF RINGBUF map oversized allocation

It was discovered that eBPF RINGBUF bpf_ringbuf_reserve did not check
that the allocated size was smaller than the ringbuf size.

Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro's Zero Day
Initiative discovered that this vulnerability could be turned into
out-of-bounds writes in the kernel. This has been originally reported as
ZDI-CAN-13586, and assigned CVE-2021-3489.

It was introduced by commit 457f44363a88 ("bpf: Implement BPF ring buffer
and verifier support for it"), so affects any kernels later than 5.8-rc1.
It was not backported to any upstream LTS kernel.

The proposed fix is that the allocating size cannot be larger than the
ringbuf size. Also, in order to prevent other exploits that change the
producer pointer or record headers, deny writable maps of those pages, as
was documented and is used by libbpf.

This is fixed by the following commit:

The commit below is also helpful in preventing other exploits:

And the following commit to bpf selftests is useful for validating the above fix:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.