[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux >=4.9: eBPF memory corruption bugs
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-12-24 8:23:15
Message-ID: 20171224082315.GA28282 () eldamar ! local
[Download RAW message or body]
Hi
Debian issued an update yesterday, an while preparing the fixes three
more CVEs were requested which are related:
https://lists.debian.org/debian-security-announce/2017/msg00336.html
specifically:
CVE-2017-17862
Alexei Starovoitov discovered that the Extended BPF verifier
ignored unreachable code, even though it would still be processed
by JIT compilers. This could possibly be used by local users for
denial of service. It also increases the severity of bugs in
determining unreachable code.
https://www.spinics.net/lists/stable/msg206984.html
Upstream: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467
CVE-2017-17863
Jann Horn discovered that the Extended BPF verifier did not
correctly model pointer arithmetic on the stack frame pointer.
A local user can use this for privilege escalation.
https://www.spinics.net/lists/stable/msg206985.html
This 'fixes' 7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (introduced in
4.9.28) which was 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 (4.12-rc1) in
mainline. Quoting the message from Jann: This is a fix specifically for
the v4.9 stable tree because the mainline code looks very different at
this point."
CVE-2017-17864
Jann Horn discovered that the Extended BPF verifier could fail to
detect pointer leaks from conditional code. A local user could
use this to obtain sensitive information in order to exploit
other vulnerabilities.
Only reference so far:
https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security
Quoting the commit/patch description:
> This was fixed differently upstream, but the code around here was
> largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
> value tracking". The bug can be detected by the bpf/verifier sub-test
> "pointer/scalar confusion in state equality check (way 1)".
and further he stated:
https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=stretch-security&id=ad775f6ff7eebb93eedc2f592bc974260e7757b0
The upstream fix is definitely post-4.14, probably "bpf: don't prune
branches when a scalar is replaced with a pointer", but no bisect was
done to confirm, so this question is still open.
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic