Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171224082315.GA28282@eldamar.local>
Date: Sun, 24 Dec 2017 09:23:15 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Linux >=4.9: eBPF memory corruption bugs

Hi

Debian issued an update yesterday, an while preparing the fixes three
more CVEs were requested which are related:

https://lists.debian.org/debian-security-announce/2017/msg00336.html

specifically:

CVE-2017-17862

    Alexei Starovoitov discovered that the Extended BPF verifier
    ignored unreachable code, even though it would still be processed
    by JIT compilers.  This could possibly be used by local users for
    denial of service.  It also increases the severity of bugs in
    determining unreachable code.

https://www.spinics.net/lists/stable/msg206984.html
Upstream: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467

CVE-2017-17863

    Jann Horn discovered that the Extended BPF verifier did not
    correctly model pointer arithmetic on the stack frame pointer.
    A local user can use this for privilege escalation.

https://www.spinics.net/lists/stable/msg206985.html

This 'fixes' 7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (introduced in
4.9.28) which was 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 (4.12-rc1) in
mainline. Quoting the message from Jann: This is a fix specifically for
the v4.9 stable tree because the mainline code looks very different at
this point."

CVE-2017-17864

    Jann Horn discovered that the Extended BPF verifier could fail to
    detect pointer leaks from conditional code.  A local user could
    use this to obtain sensitive information in order to exploit
    other vulnerabilities.

Only reference so far:

https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security

Quoting the commit/patch description:

> This was fixed differently upstream, but the code around here was
> largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
> value tracking".  The bug can be detected by the bpf/verifier sub-test
> "pointer/scalar confusion in state equality check (way 1)".

and further he stated:

https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=stretch-security&id=ad775f6ff7eebb93eedc2f592bc974260e7757b0

The upstream fix is definitely post-4.14, probably "bpf: don't prune
branches when a scalar is replaced with a pointer", but no bisect was
done to confirm, so this question is still open.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.