Bug 1167722 - (CVE-2020-8835) VUL-0: CVE-2020-8835: kernel-source: out-of-bounds write in the bpf verifier for 32bit operations
(CVE-2020-8835)
VUL-0: CVE-2020-8835: kernel-source: out-of-bounds write in the bpf verifier ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Gary Ching-Pang Lin
Security Team bot
https://smash.suse.de/issue/255944/
CVSSv3.1:RedHat:CVE-2020-8835:7.0:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-26 07:32 UTC by Wolfgang Frisch
Modified: 2022-07-21 18:29 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 8 Michal Kubeček 2020-03-30 16:12:44 UTC
This is the submission, I believe:

  https://lkml.kernel.org/r/20200330160324.15259-1-daniel@iogearbox.net
Comment 9 Gary Ching-Pang Lin 2020-03-31 02:15:29 UTC
(In reply to Michal Kubeček from comment #8)
> This is the submission, I believe:
> 
>   https://lkml.kernel.org/r/20200330160324.15259-1-daniel@iogearbox.net

Thanks for pointing the submission. Will backport the patches.
Comment 11 Marcus Meissner 2020-03-31 06:26:58 UTC
now public

From: Steve Beattie <steve@nxnw.org>
Subject: [oss-security] CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability

Manfred Paul, as part of the ZDI pwn2own competition, demonstrated
that a flaw existed in the bpf verifier for 32bit operations. This
was introduced in commit:

  581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")

The result is that register bounds were improperly calculated,
allowing out-of-bounds reads and writes to occur.

This issue affects 5.5 kernels, and was backported to 5.4-stable
as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf
maintainers recommend reverting the patch for stable releases:

  https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/

This bpf functionality is available to unprivileged users unless the
kernel.unprivileged_bpf_disabled sysctl is set to 1.

This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780).
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835.html

-- 
Steve Beattie
<sbeattie@ubuntu.com>
http://NxNW.org/~steve/
Comment 12 Marcus Meissner 2020-07-06 11:20:14 UTC
was fixed before 15-SP2 GA