ACK/Cmnt: [SRU Groovy 0/2] CVE-2021-20194
Guilherme Piccoli
gpiccoli at canonical.com
Thu Feb 18 19:51:19 UTC 2021
On Thu, Feb 18, 2021 at 4:40 PM Thadeu Lima de Souza Cascardo
<cascardo at canonical.com> wrote:
>
> Note:
> Not sending for Focal as this is queued on stable-next [1] tree.
>
> [1] git://kernel.ubuntu.com/ubuntu-stable/ubuntu-stable-focal.git
>
> [Impact]
> If there is a BPF attached to getsockopt, user can trigger a crash like:
> [ 261.273921] WARNING: CPU: 0 PID: 753 at include/linux/thread_info.h:150 __cgroup_bpf_run_filter_getsockopt+0x2b0/0x2d0
>
> [Test case]
> Running reproducer causes the crash without the fixes.
>
> [Potential regression]
> Programs could misbehave when trying to use getsockopt under a cgroup
> with a getsockopt BPF attached. Network failures for programs under
> containers or systemd are possible regressions.
>
> Loris Reiff (2):
> bpf, cgroup: Fix optlen WARN_ON_ONCE toctou
> bpf, cgroup: Fix problematic bounds check
>
> kernel/bpf/cgroup.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> --
> 2.27.0
>
Thanks Cascardo, it's a clear cherry-pick and a very simple check, so:
Acked-by: Guilherme G. Piccoli <gpiccoli at canonical.com>
But as a curiosity, why is mentioned that it causes a crash, if a
WARN_ON() is triggered? Does it assume panic_on_warn is set?
Cheers,
Guilherme
More information about the kernel-team
mailing list