==== Summary ====
A few BPF verifier bugs in the Linux kernel, most of which can be used
for controlled memory corruption.
===== POC =====
PoC for "bpf: fix incorrect sign extension in check_alu_op()"
===== Affected Versions =====
One of the bugs was introduced in 4.9, the others were only introduced
Affected Linux kernel through 4.14.8
RHEL claimed by the vendor as not affected.
Fixed on Dec 21, 2017:
===== Timeline =====
21.12.17 — Public announcement
===== Credit =====
Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.
An unprivileged user could use this flaw to escalate their privileges on a system.
# echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled