Date: Tue, 11 May 2021 14:56:47 -0300 From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-3490 - Linux kernel eBPF bitwise ops ALU32 bounds tracking It was discovered that eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds. Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf) working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be turned into out-of-bounds reads and writes in the kernel. This has been reported as ZDI-CAN-13590, and assigned CVE-2021-3490. It was introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking"). The XOR version was introduced by commit 2921c90d4718 ("bpf: Fix a verifier failure with xor"). The first one was introduced in 5.7-rc1, while the latter was introduced in 5.10-rc1. There has been no backport to any upstream LTS kernel. This was fixed by commit: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e Cascardo.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.