Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 May 2021 14:56:47 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-3490 - Linux kernel eBPF bitwise ops ALU32 bounds tracking

It was discovered that eBPF ALU32 bounds tracking for bitwise ops (AND, OR and
XOR) did not update the 32-bit bounds.

Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf) working with
Trend Micro's Zero Day Initiative discovered that this vulnerability could be
turned into out-of-bounds reads and writes in the kernel. This has been
reported as ZDI-CAN-13590, and assigned CVE-2021-3490.

It was introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32
bounds tracking"). The XOR version was introduced by commit 2921c90d4718 ("bpf:
Fix a verifier failure with xor"). The first one was introduced in 5.7-rc1,
while the latter was introduced in 5.10-rc1. There has been no backport to any
upstream LTS kernel.

This was fixed by commit:
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e

Cascardo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.