APPLIED[F:oem-5.10]: [B, B:hwe, F, F:oem-5.6, F:oem-5.10, G][PATCH 0/2] CVE-2021-29154 - Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode
Kleber Souza
kleber.souza at canonical.com
Fri Apr 9 14:28:26 UTC 2021
On 08.04.21 20:07, Marcelo Henrique Cerri wrote:
> Both fixes are needed for:
> - bionic:linux-hwe
> - focal:linux
> - focal:linux-oem-5.6
> - focal:linux-oem-5.10
> - groovy:linux
>
> bionic:linux only needs the first patch.
Applied to focal/linux-oem-5.10.
Thanks,
Kleber
>
> As per https://www.openwall.com/lists/oss-security/2021/04/08/1 by
> Piotr Krysiuk:
>
> An issue has been discovered in the Linux kernel that can be abused by
> unprivileged local users to escalate privileges.
>
> The issue is with how BPF JIT compilers for some architectures compute
> branch displacements when generating machine code. This can be abused
> to craft anomalous machine code and execute it in the Kernel mode,
> where the control flow is hijacked to execute unsafe code.
>
> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
> shellcode execution in Kernel mode by unprivileged local users.
>
> One of these PoCs has been shared privately with <security at ...nel.org>
> to assist with fix development.
>
> Patches to mitigate the issue for x86-64 and x86-32 architectures are
> available. These patches do not attempt to correct the underlying
> algorithm and instead assert that all computations were performed
> correctly, such that all unsafe inputs are rejected.
>
> The patches were published via BPF subsystem public git repository:
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=26f55a59dc65ff77cd1c4b37991e26497fc68049
>
> # Discoverer
>
> Piotr Krysiuk <piotras at ...il.com>
>
> # References
>
> CVE-2021-29154 (reserved via https://cveform.mitre.org/)
>
> ---
> Piotr Krysiuk (2):
> UBUNTU: SAUCE: bpf, x86: Validate computation of branch displacements
> for x86-64
> UBUNTU: SAUCE: bpf, x86: Validate computation of branch displacements
> for x86-32
>
> arch/x86/net/bpf_jit_comp.c | 11 ++++++++++-
> arch/x86/net/bpf_jit_comp32.c | 11 ++++++++++-
> 2 files changed, 20 insertions(+), 2 deletions(-)
>
More information about the kernel-team
mailing list