CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability

[Steve Beattie <steve () nxnw org>]

[re-sending, apologies if a prior version makes it to the list.]

Manfred Paul, as part of the ZDI pwn2own competition, demonstrated
that a flaw existed in the bpf verifier for 32bit operations. This
was introduced in commit:

  581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")

The result is that register bounds were improperly calculated,
allowing out-of-bounds reads and writes to occur.

This issue affects 5.5 kernels, and was backported to 5.4-stable
as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf
maintainers recommend reverting the patch for stable releases:

  https://lore.kernel.org/bpf/20200330160324.15259-1-daniel () iogearbox net/T/

This bpf functionality is available to unprivileged users unless the
kernel.unprivileged_bpf_disabled sysctl is set to 1.

This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780).
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835.html

-- 
Steve Beattie
<sbeattie () ubuntu com>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: