Re: [oss-security] [CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

Seen it. Not surprising at all, but hopefully useful as a learning experience.

> On 10 Apr 2021, at 10:24, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> And *BOOM* goes the dynamite... m(
> 
>> An issue has been discovered in the Linux kernel that can be abused by
>> unprivileged local users to escalate privileges.
>> 
>> The issue is with how BPF JIT compilers for some architectures compute
>> branch displacements when generating machine code. This can be abused
>> to craft anomalous machine code and execute it in the Kernel mode,
>> where the control flow is hijacked to execute unsafe code.
>> 
>> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
>> shellcode execution in Kernel mode by unprivileged local users.
>> 
>> One of these PoCs has been shared privately with <security(a)kernel.org>
>> to assist with fix development.
>> 
>> Patches to mitigate the issue for x86-64 and x86-32 architectures are
>> available. These patches do not attempt to correct the underlying
>> algorithm and instead assert that all computations were performed
>> correctly, such that all unsafe inputs are rejected.
>> 
>> The patches were published via BPF subsystem public git repository:
>> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
>> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=26f55a59dc65ff77cd1c4b37991e26497fc68049
>> 
>> # Discoverer
>> 
>> Piotr Krysiuk <piotras(a)gmail.com>
>> 
>> # References
>> 
>> CVE-2021-29154 (reserved via https://cveform.mitre.org/)