ACK/Cmnt: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
Tim Gardner
tim.gardner at canonical.com
Thu Apr 8 18:34:10 UTC 2021
- Previous message (by thread): ACK: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
- Next message (by thread): APPLIED[B, B:hwe, F, G]: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Acked-by: Tim Gardner <tim.gardner at canonical.com>
Given that there only 2 patches in the BPF git repo related to this
vulnerability, one has to assume that its an x86 only bug. The commit
log is a little fuzzy on that point. The statement, "The issue is with
how BPF JIT compilers for some architectures compute branch
displacements when generating machine code.", kind of implies that there
could be more then just x86'en with this problem.
On 4/8/21 12:07 PM, Marcelo Henrique Cerri wrote:
> Both fixes are needed for:
> - bionic:linux-hwe
> - focal:linux
> - focal:linux-oem-5.6
> - focal:linux-oem-5.10
> - groovy:linux
>
> bionic:linux only needs the first patch.
>
> As per https://www.openwall.com/lists/oss-security/2021/04/08/1 by
> Piotr Krysiuk:
>
> An issue has been discovered in the Linux kernel that can be abused by
> unprivileged local users to escalate privileges.
>
> The issue is with how BPF JIT compilers for some architectures compute
> branch displacements when generating machine code. This can be abused
> to craft anomalous machine code and execute it in the Kernel mode,
> where the control flow is hijacked to execute unsafe code.
>
> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
> shellcode execution in Kernel mode by unprivileged local users.
>
> One of these PoCs has been shared privately with <security at ...nel.org>
> to assist with fix development.
>
> Patches to mitigate the issue for x86-64 and x86-32 architectures are
> available. These patches do not attempt to correct the underlying
> algorithm and instead assert that all computations were performed
> correctly, such that all unsafe inputs are rejected.
>
> The patches were published via BPF subsystem public git repository:
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=26f55a59dc65ff77cd1c4b37991e26497fc68049
>
> # Discoverer
>
> Piotr Krysiuk <piotras at ...il.com>
>
> # References
>
> CVE-2021-29154 (reserved via https://cveform.mitre.org/)
>
> ---
> Piotr Krysiuk (2):
> UBUNTU: SAUCE: bpf, x86: Validate computation of branch displacements
> for x86-64
> UBUNTU: SAUCE: bpf, x86: Validate computation of branch displacements
> for x86-32
>
> arch/x86/net/bpf_jit_comp.c | 11 ++++++++++-
> arch/x86/net/bpf_jit_comp32.c | 11 ++++++++++-
> 2 files changed, 20 insertions(+), 2 deletions(-)
>
--
-----------
Tim Gardner
Canonical, Inc
- Previous message (by thread): ACK: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
- Next message (by thread): APPLIED[B, B:hwe, F, G]: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the kernel-team
mailing list