Bugzilla – Bug 1194111
VUL-0: CVE-2021-4204: kernel-source: eBPF Improper Input Validation Privilege Escalation Vulnerability
Last modified: 2024-06-25 16:31:30 UTC
From linux-distros ML --------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Some affected distributions are listed below: - Ubuntu 20.04 LTS with default installation (see https://ubuntu.com/about/release-cycle#ubuntu-kernel-release-cycle for more details) - Ubuntu 22.04 LTS with kernel.unprivileged_bpf_disabled=0 - Debian 11 with kernel.unprivileged_bpf_disabled=0 - Fedora 33 with kernel.unprivileged_bpf_disabled=0 *Affected Version* Linux kernel 5.8 or later (For now, 5.8 - 5.16) *Root Cause Analysis* eBPF provides some helper functions, and the verifier checks whether it is used properly according to bpf_func_proto. For some helper functions require a PTR_TO_MEM as an argument, the verifier MUST know the memory size through the next argument to prevent OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n4579 ) However, bpf_ringbuf_submit and bpf_ringbuf_discard do not follow the aboving rule. the verifier never know the size of memory passing into these two helper functions, resulting in OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/ringbuf.c?h=v5.10.83#n423 ) *Proof-of-Concept* Full exploit code attached. Just compile the source and run exp.sh (might take some minutes). I tested this exploit on Ubuntu 20.04.3 with default installation (kernel: 5.11.0-41-generic #45 <https://github.com/tr3ee/bugs/issues/45>~20.04.1-Ubuntu) (downloaded from https://releases.ubuntu.com/focal/) Note: This bug has been submitted to security@kernel.org on Dec 21, 2021.
I see there is an approved JIRA ticket [0] to disable unprivileged eBPF (coming from bsc#1191580 [1]), I think once this is implemented it would mitigate this vulnerability as well. Please correct me if I'm wrong. [0] https://jira.suse.com/browse/SLE-22596 [1] https://bugzilla.suse.com/show_bug.cgi?id=1191580
I checked kernel config files and I see that CONFIG_BPF_UNPRIV_DEFAULT_OFF has been enabled on the following branches: - openSUSE-15.2 - cve/linux-4.4 - cve/linux-4.12 - SLE15-SP4 - SLE15-SP3 - SLE15-SP2 - SLE12-SP5
(In reply to Gianluca Gabrielli from comment #3) > I see there is an approved JIRA ticket [0] to disable unprivileged eBPF > (coming from bsc#1191580 [1]), I think once this is implemented it would > mitigate this vulnerability as well. Please correct me if I'm wrong. Yes, "ability to execute low-privileged code" mostly refers to unprivileged eBPF, so disable unprivileged eBPF is indeed a mitigation against this (and many other) vulnerability.
(In reply to Shung-Hsi Yu from comment #7) > (In reply to Gianluca Gabrielli from comment #3) > > I see there is an approved JIRA ticket [0] to disable unprivileged eBPF > > (coming from bsc#1191580 [1]), I think once this is implemented it would > > mitigate this vulnerability as well. Please correct me if I'm wrong. > > Yes, "ability to execute low-privileged code" mostly refers to unprivileged > eBPF, so disable unprivileged eBPF is indeed a mitigation against this (and > many other) vulnerability. What about live kernels from clients that only install live-patches, are those still vulnerable?
(In reply to Gianluca Gabrielli from comment #8) > What about live kernels from clients that only install live-patches, are > those still vulnerable? I think those are still vulnerable unless we also have live-patch for SLE-22596 (my guess is that we don't). On those system unprivileged BPF can be disabled the old way with sysctl -w kernel.unprivileged_bpf_disabled=1 (updating /etc/sysctl.conf to persist over boot is preferred) Note once unprivileged_bpf_disabled is set to 1, a *reboot* is required to re-enabled unprivileged BPF.
System that requires unprivileged BPF for its normal functioning will remain vulnerable until the BPF verifier is fixed
is public From: tr3e wang <tr3e.wang@gmail.com> Subject: [oss-security] CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability Hi all, This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. BE AWARE, unprivileged bpf is disabled by default in most distros. *Affected Version* Linux kernel 5.8 or later (For now, 5.8 - 5.16) *Root Cause Analysis* eBPF provides some helper functions, and the verifier checks whether it is used properly according to bpf_func_proto. For some helper functions require a PTR_TO_MEM as an argument, the verifier MUST know the memory size through the next argument to prevent OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n4579 ) However, bpf_ringbuf_submit and bpf_ringbuf_discard do not follow the aboving rule. the verifier never know the size of memory passing into these two helper functions, resulting in OOB. (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/ringbuf.c?h=v5.10.83#n423 ) *Exploit Code* Exploit code will be delayed for 7 days and will be posted at 12:00 UTC, Jan 18, 2022 *Mitigations* set kernel.unprivileged_bpf_disabled to 1 BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros. *Credits* tr3e of SecCoder Security Lab Best Regards, tr3e
have we backported this patch to any of our kernels ? i think sle15-sp4 needs the fix.
(In reply to Marcus Meissner from comment #15) > have we backported this patch to any of our kernels ? Not yet, so far I haven't seen a fix for this upstream. > i think sle15-sp4 needs the fix. Yes
.
Backported the following fix 64620e0a1e71 bpf: Fix out of bounds access for ringbuf helpers The following are pulled in as dependency be80a1d3f9db bpf: Generalize check_ctx_reg for reuse with other types 6788ab23508b bpf: Generally fix helper register offset check The following additional fix is *not* backported because it requires changes that is too intrusive when 64620e0a1e71 alone is sufficient a672b2e36a64 bpf: Fix ringbuf memory type confusion when passing to helpers Reassigning back to security team
Shung-Hsi Yu, since you have done backports to older series, can you consider to submit those as wel upstream for the relevant upstream stable series? TTBOMK e.g. 5.10.y, 5.15.y and 5.16.y do not have yet the fix and is only in 5.17-rc1.
Close since all packages are released.
Hi Salvatore, Okay, I'll submit to fix to upstream stable series as well.
SUSE-SU-2022:2520-1: An update that solves 49 vulnerabilities, contains 26 features and has 207 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198410,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198829,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200813,1200815,1200816,1200820,1200821,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201080,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,1201381,1201471,1201524 CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1462,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918 JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549 Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.14.21-150400.24.11.1, kernel-64kb-5.14.21-150400.24.11.1, kernel-debug-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-docs-5.14.21-150400.24.11.1, kernel-kvmsmall-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-obs-qa-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1, kernel-livepatch-SLE15-SP4_Update_1-1-150400.9.5.3 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): kernel-docs-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): kernel-64kb-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-source-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1 SUSE Linux Enterprise High Availability 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2615-1: An update that solves 48 vulnerabilities, contains 26 features and has 202 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200572,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200815,1200816,1200820,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,150300 CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918 JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549 Sources used: openSUSE Leap 15.4 (src): kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.