Bug 1167722 (CVE-2020-8835)

Summary: VUL-0: CVE-2020-8835: kernel-source: out-of-bounds write in the bpf verifier for 32bit operations
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Gary Ching-Pang Lin <glin>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: glin, meissner, mkubecek, rfrohl, tbogendoerfer, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/255944/
Whiteboard: CVSSv3.1:RedHat:CVE-2020-8835:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:ZDI:CVE-2020-8835:8.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSSv2:NVD:CVE-2020-8835:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3.1:NVD:CVE-2020-8835:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 8 Michal Kubeček 2020-03-30 16:12:44 UTC
This is the submission, I believe:

Comment 9 Gary Ching-Pang Lin 2020-03-31 02:15:29 UTC
(In reply to Michal Kubeček from comment #8)
> This is the submission, I believe:
>   https://lkml.kernel.org/r/20200330160324.15259-1-daniel@iogearbox.net

Thanks for pointing the submission. Will backport the patches.
Comment 11 Marcus Meissner 2020-03-31 06:26:58 UTC
now public

From: Steve Beattie <steve@nxnw.org>
Subject: [oss-security] CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability

Manfred Paul, as part of the ZDI pwn2own competition, demonstrated
that a flaw existed in the bpf verifier for 32bit operations. This
was introduced in commit:

  581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")

The result is that register bounds were improperly calculated,
allowing out-of-bounds reads and writes to occur.

This issue affects 5.5 kernels, and was backported to 5.4-stable
as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf
maintainers recommend reverting the patch for stable releases:


This bpf functionality is available to unprivileged users unless the
kernel.unprivileged_bpf_disabled sysctl is set to 1.

This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780).

Steve Beattie
Comment 12 Marcus Meissner 2020-07-06 11:20:14 UTC
was fixed before 15-SP2 GA