Bug 1182010 (CVE-2021-20194)

Summary:	VUL-0: CVE-2021-20194: kernel-source,kernel-source-rt,kernel-source-azure: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Gianluca Gabrielli <gianluca.gabrielli>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	atoptsoglou, meissner, smash_bz, tiwai
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/277515/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-20194:6.4:(AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Gianluca Gabrielli 2021-02-09 15:08:50 UTC

CVE-2021-20194

There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1912683
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20194

Comment 1 Gianluca Gabrielli 2021-02-09 15:09:37 UTC

Upstream patches:

 * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=bb8b81e396f7
 * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=f4a2da755a7e

Comment 2 Gianluca Gabrielli 2021-02-09 15:26:00 UTC

It seems this issue has been introduced in commit 0d01da6 [1] in kernel v5.3-rc1 and fixed with commits bb8b81e [2] and f4a2da7 [3]. These patches have already been backported to SLE15-SP2 and older kernel versions are not affected.

Please ensure to update the references by associating the already backported commits with CVE-2021-20194 and this bug entry.

[1] https://github.com/torvalds/linux/commit/0d01da6afc5402f60325c5da31b22f7d56689b49
[2] https://github.com/torvalds/linux/commit/bb8b81e396f7afbe7c50d789e2107512274d2a35
[3] https://github.com/torvalds/linux/commit/f4a2da755a7e1f5d845c52aee71336cee289935a

Comment 3 Takashi Iwai 2021-02-09 15:41:06 UTC

Confirmed that both fixes are already in SLE15-SP2 via git-fixes backports, and SLE15-SP1 and older are unaffected, without the buggy commit.

Reassigned back to security team.

Comment 4 Alexandros Toptsoglou 2021-02-10 11:50:02 UTC

*** Bug 1181637 has been marked as a duplicate of this bug. ***

Comment 5 Marcus Meissner 2021-02-10 12:15:42 UTC

can be closed

Comment 6 Alexandros Toptsoglou 2021-02-16 15:59:19 UTC

*** Bug 1182330 has been marked as a duplicate of this bug. ***