Date: Tue, 11 May 2021 14:55:49 -0300 From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-3489 - Linux kernel eBPF RINGBUF map oversized allocation It was discovered that eBPF RINGBUF bpf_ringbuf_reserve did not check that the allocated size was smaller than the ringbuf size. Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be turned into out-of-bounds writes in the kernel. This has been originally reported as ZDI-CAN-13586, and assigned CVE-2021-3489. It was introduced by commit 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it"), so affects any kernels later than 5.8-rc1. It was not backported to any upstream LTS kernel. The proposed fix is that the allocating size cannot be larger than the ringbuf size. Also, in order to prevent other exploits that change the producer pointer or record headers, deny writable maps of those pages, as was documented and is used by libbpf. This is fixed by the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea The commit below is also helpful in preventing other exploits: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=04ea3086c4d73da7009de1e84962a904139af219 And the following commit to bpf selftests is useful for validating the above fix: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=98a34e93da83e50e197584c7c362668bf12c1d54 Cascardo.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.