Bugzilla – Bug 1167722
VUL-0: CVE-2020-8835: kernel-source: out-of-bounds write in the bpf verifier for 32bit operations
Last modified: 2022-12-23 12:16:52 UTC
This is the submission, I believe: https://lkml.kernel.org/r/20200330160324.15259-1-daniel@iogearbox.net
(In reply to Michal Kubeček from comment #8) > This is the submission, I believe: > > https://lkml.kernel.org/r/20200330160324.15259-1-daniel@iogearbox.net Thanks for pointing the submission. Will backport the patches.
now public From: Steve Beattie <steve@nxnw.org> Subject: [oss-security] CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability Manfred Paul, as part of the ZDI pwn2own competition, demonstrated that a flaw existed in the bpf verifier for 32bit operations. This was introduced in commit: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") The result is that register bounds were improperly calculated, allowing out-of-bounds reads and writes to occur. This issue affects 5.5 kernels, and was backported to 5.4-stable as b4de258dede528f88f401259aab3147fb6da1ddf. The Linux kernel bpf maintainers recommend reverting the patch for stable releases: https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/ This bpf functionality is available to unprivileged users unless the kernel.unprivileged_bpf_disabled sysctl is set to 1. This issue has been identified as CVE-2020-8835 (and ZDI-CAN-10780). https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835.html -- Steve Beattie <sbeattie@ubuntu.com> http://NxNW.org/~steve/
was fixed before 15-SP2 GA