[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] [CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation


CVE-2021-3444 - Linux kernel bpf verifier incorrect mod32 truncation

Recently, it was discovered that bpf verifier in the Linux kernel
did not properly handle mod32 destination register truncation when
the source register was known to be 0. De4dCr0w of 360 Alpha Lab
discovered that this vulnerability could be turned into out-of-bounds
reads in the kernel, and out-of-bounds writes can not be ruled out.

It was fixed in upstream commit:

  9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero")

and also landed in the 5.11.2, 5.10.19, and 5.4.101 stable kernels.

The commit itself references

  468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") (v4.15-rc5)

as introducing the issue, but further analysis seemed to indicate that

  f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception") (v4.16-rc1)

was also necessary to take advantage of the vulnerability.


Steve Beattie
<sbeattie AT ubuntu.com>

Attachment: signature.asc
Description: PGP signature