Bugzilla – Bug 1182010
VUL-0: CVE-2021-20194: kernel-source,kernel-source-rt,kernel-source-azure: heap overflow in __cgroup_bpf_run_filter_getsockopt()
Last modified: 2022-02-13 11:56:04 UTC
CVE-2021-20194 There is vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. References: https://bugzilla.redhat.com/show_bug.cgi?id=1912683 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20194
Upstream patches: * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=bb8b81e396f7 * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=f4a2da755a7e
It seems this issue has been introduced in commit 0d01da6 [1] in kernel v5.3-rc1 and fixed with commits bb8b81e [2] and f4a2da7 [3]. These patches have already been backported to SLE15-SP2 and older kernel versions are not affected. Please ensure to update the references by associating the already backported commits with CVE-2021-20194 and this bug entry. [1] https://github.com/torvalds/linux/commit/0d01da6afc5402f60325c5da31b22f7d56689b49 [2] https://github.com/torvalds/linux/commit/bb8b81e396f7afbe7c50d789e2107512274d2a35 [3] https://github.com/torvalds/linux/commit/f4a2da755a7e1f5d845c52aee71336cee289935a
Confirmed that both fixes are already in SLE15-SP2 via git-fixes backports, and SLE15-SP1 and older are unaffected, without the buggy commit. Reassigned back to security team.
*** Bug 1181637 has been marked as a duplicate of this bug. ***
can be closed
*** Bug 1182330 has been marked as a duplicate of this bug. ***