Incoming details. Reproducible: Always
==== Summary ==== A few BPF verifier bugs in the Linux kernel, most of which can be used for controlled memory corruption. ===== POC ===== PoC for "bpf: fix incorrect sign extension in check_alu_op()" https://bugs.chromium.org/p/project-zero/issues/detail?id=1454 ===== Affected Versions ===== One of the bugs was introduced in 4.9, the others were only introduced in 4.14. Affected Linux kernel through 4.14.8 RHEL claimed by the vendor as not affected. Fixed on Dec 21, 2017: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f ===== Timeline ===== 21.12.17 — Public announcement ===== Credit ===== Debian GNU/Linux
From https://bugzilla.redhat.com/show_bug.cgi?id=1528518: Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module. An unprivileged user could use this flaw to escalate their privileges on a system. Upstream patch -------------- -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30 References: ----------- -> http://seclists.org/oss-sec/2017/q4/429 -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995 -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995 -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454 Mitigation: ----------- # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
Fix in 4.9.72, 4.14.9, 4.15.
