Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 642306 (CVE-2017-16995) - kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution (CVE-2017-16995)
Summary: kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary...
Status: IN_PROGRESS
Alias: CVE-2017-16995
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Kernel Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard: A1
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-26 12:27 UTC by Alice Ferrazzi
Modified: 2018-01-04 00:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2017-12-26 12:27:58 UTC
Incoming details.

Reproducible: Always
Comment 1 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2017-12-26 12:35:44 UTC
==== Summary ====

A few BPF verifier bugs in the Linux kernel, most of which can be used
for controlled memory corruption.


===== POC =====

PoC for "bpf: fix incorrect sign extension in check_alu_op()"

https://bugs.chromium.org/p/project-zero/issues/detail?id=1454


===== Affected Versions =====

One of the bugs was introduced in 4.9, the others were only introduced
in 4.14.
Affected Linux kernel through 4.14.8

RHEL claimed by the vendor as not affected.

Fixed on Dec 21, 2017:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f

===== Timeline =====

21.12.17 — Public announcement


===== Credit =====

Debian GNU/Linux
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-12-26 12:50:03 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1528518:

Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.

An unprivileged user could use this flaw to escalate their privileges on a system.

Upstream patch
--------------
  -> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30

References:
-----------
  -> http://seclists.org/oss-sec/2017/q4/429
  -> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995
  -> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
  -> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

Mitigation:
-----------
  # echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled