ACK/Cmnt: [SRU Groovy 0/2] CVE-2021-20194
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Thu Feb 18 20:09:44 UTC 2021
On Thu, Feb 18, 2021 at 04:51:19PM -0300, Guilherme Piccoli wrote:
> On Thu, Feb 18, 2021 at 4:40 PM Thadeu Lima de Souza Cascardo
> <cascardo at canonical.com> wrote:
> >
> > Note:
> > Not sending for Focal as this is queued on stable-next [1] tree.
> >
> > [1] git://kernel.ubuntu.com/ubuntu-stable/ubuntu-stable-focal.git
> >
> > [Impact]
> > If there is a BPF attached to getsockopt, user can trigger a crash like:
> > [ 261.273921] WARNING: CPU: 0 PID: 753 at include/linux/thread_info.h:150 __cgroup_bpf_run_filter_getsockopt+0x2b0/0x2d0
> >
> > [Test case]
> > Running reproducer causes the crash without the fixes.
> >
> > [Potential regression]
> > Programs could misbehave when trying to use getsockopt under a cgroup
> > with a getsockopt BPF attached. Network failures for programs under
> > containers or systemd are possible regressions.
> >
> > Loris Reiff (2):
> > bpf, cgroup: Fix optlen WARN_ON_ONCE toctou
> > bpf, cgroup: Fix problematic bounds check
> >
> > kernel/bpf/cgroup.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > --
> > 2.27.0
> >
>
> Thanks Cascardo, it's a clear cherry-pick and a very simple check, so:
>
> Acked-by: Guilherme G. Piccoli <gpiccoli at canonical.com>
>
> But as a curiosity, why is mentioned that it causes a crash, if a
> WARN_ON() is triggered? Does it assume panic_on_warn is set?
> Cheers,
>
It's just a WARNING, really, you are right!
Though a crash, code execution and privilege escalation cannot be ruled out, as
some say! :-)
Cascardo.
>
> Guilherme
More information about the kernel-team
mailing list