Bugzilla – Bug 1194249
VUL-0: CVE-2021-45941: libbpf: heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).
Last modified: 2023-01-11 12:06:34 UTC
libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in
__bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).
This is interesting:
libbpf> grep SUSE:SLE
libbpf> isc ls SUSE:SLE-15-SP3:GA/libbpf
libbpf> isc ls SUSE:SLE-15-SP4:GA/libbpf
How could that happen that there is just .spec and .changes?
(In reply to Petr Gajdos from comment #1)
> This is interesting:
Not really. BuildRequires: kernel-source is the difference.
This end up being an issue with how libbpf interpret the number of section header in an ELF file.
Usually the number of section header is store in the e_shnum field so the ELF header. However, when the number of section header is >= 65280/0xff00, e_shnum will be zero, with the actual number of section header stored in the sh_size field of the 0th section header.
I've confirm that using the elf_getshdrnum() helper to retrieve the number of section header instead of using e_shnum field directly fixes this issue CVE-2021-45941 and CVE-2021-45940 (bug 1194248).
I will submit this fix along with fixes for a few other fuzzer-reported bugs that I discovered while running the fuzzer locally soon.
Fix proposed upstream <https://firstname.lastname@example.org/>. But it still needs a few more changes before getting merged. Will provide an update once it happens.
Fix is now merged upstream https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?h=for-next&id=51deedc9b8680953437dfe359e5268120de10e30, the same fix needed for bug 1194249.
This only affects Tumbleweed/Factory. I'll apply the fix there.
(In reply to Shung-Hsi Yu from comment #12)
> Fix is now merged upstream
> ?h=for-next&id=51deedc9b8680953437dfe359e5268120de10e30, the same fix needed
> for bug 1194249.
Should say bug 1194248.
Fix submitted to Tumbleweed/Factory in SR#1034423.
Reassigning back to security team.