Bug 1190126 (CVE-2021-31440) - VUL-0: CVE-2021-31440: kernel-source-azure,kernel-source-rt,kernel-source: local escalation of privileges in handling of eBPF programs
Summary: VUL-0: CVE-2021-31440: kernel-source-azure,kernel-source-rt,kernel-source: lo...
Status: RESOLVED FIXED
Alias: CVE-2021-31440
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/283382/
Whiteboard:
Keywords:
Depends on:
Blocks: 1190127
  Show dependency treegraph
 
Reported: 2021-09-02 15:19 UTC by Marcus Meissner
Modified: 2021-12-07 12:56 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-02 15:19:02 UTC
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

External Reference:

https://www.zerodayinitiative.com/advisories/ZDI-21-503/

Upstream Fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=10bf4e83167cc68595b85fd73bb91e8f2c086e36
Comment 1 Marcus Meissner 2021-09-02 15:23:35 UTC
upstream affected: 5.7 and later (fixes: 3f50f132d840)
fixed upstream: 5.13 and later

patches.suse/bpf-Fix-propagation-of-32-bit-unsigned-bounds-from-6.patch

is in 15-sp3 branch, but not in 15-sp2 (not sure if 15-sp2 has the problem).
Comment 3 Tony Jones 2021-09-13 22:29:57 UTC
(In reply to Marcus Meissner from comment #1)
>
> is in 15-sp3 branch, but not in 15-sp2 (not sure if 15-sp2 has the problem).

Correct because we did not take 3f50f132d840 into SP2.   We have a related fix in SP2 from ee114dd64c and that seems correct.
Comment 4 Tony Jones 2021-09-13 22:34:10 UTC
Stable is at 5.14,  so not needed there either.   So I believe we're good here.  Reassigning back to default.
Comment 5 Marcus Meissner 2021-12-07 12:56:50 UTC
done