Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 642306 (CVE-2017-16995) - kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution (CVE-2017-16995)
Summary: kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary...
Status: RESOLVED FIXED
Alias: CVE-2017-16995
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Kernel Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-26 12:27 UTC by Arisu Tachibana
Modified: 2022-03-26 00:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arisu Tachibana Gentoo Infrastructure gentoo-dev 2017-12-26 12:27:58 UTC
Incoming details.

Reproducible: Always
Comment 1 Arisu Tachibana Gentoo Infrastructure gentoo-dev 2017-12-26 12:35:44 UTC
==== Summary ====

A few BPF verifier bugs in the Linux kernel, most of which can be used
for controlled memory corruption.


===== POC =====

PoC for "bpf: fix incorrect sign extension in check_alu_op()"

https://bugs.chromium.org/p/project-zero/issues/detail?id=1454


===== Affected Versions =====

One of the bugs was introduced in 4.9, the others were only introduced
in 4.14.
Affected Linux kernel through 4.14.8

RHEL claimed by the vendor as not affected.

Fixed on Dec 21, 2017:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f

===== Timeline =====

21.12.17 — Public announcement


===== Credit =====

Debian GNU/Linux
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-26 12:50:03 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1528518:

Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.

An unprivileged user could use this flaw to escalate their privileges on a system.

Upstream patch
--------------
  -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30

References:
-----------
  -> http://seclists.org/oss-sec/2017/q4/429
  -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995
  -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
  -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

Mitigation:
-----------
  # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 00:38:20 UTC
Fix in 4.9.72, 4.14.9, 4.15.