oss-sec mailing list archives
[CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation
From: Steve Beattie <steve.beattie () canonical com>
Date: Tue, 23 Mar 2021 10:03:06 -0700
Hello, CVE-2021-3444 - Linux kernel bpf verifier incorrect mod32 truncation Recently, it was discovered that bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. De4dCr0w of 360 Alpha Lab discovered that this vulnerability could be turned into out-of-bounds reads in the kernel, and out-of-bounds writes can not be ruled out. It was fixed in upstream commit: 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and also landed in the 5.11.2, 5.10.19, and 5.4.101 stable kernels. The commit itself references 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") (v4.15-rc5) as introducing the issue, but further analysis seemed to indicate that f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception") (v4.16-rc1) was also necessary to take advantage of the vulnerability. Thanks. -- Steve Beattie <sbeattie () ubuntu com>
Attachment:
signature.asc
Description:
Current thread:
- [CVE-2021-3444] Linux kernel bpf verifier incorrect mod32 truncation Steve Beattie (Mar 23)