From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [oss-security] [CVE-2021-29154] Linux kernel incorrect
 computation of branch displacements in BPF JIT compiler can be abused to
 execute arbitrary code in Kernel mode
Date: Sat, 10 Apr 2021 10:27:59 +0100
Message-ID: <428CDFC6-DC20-4EF2-95E9-A95C48E1DB6E@ipfire.org>
In-Reply-To: <50fdffcf-7412-c9bf-724d-1e336a85127a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7449409894478317703=="
List-Id: <development.lists.ipfire.org>

--===============7449409894478317703==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Seen it. Not surprising at all, but hopefully useful as a learning experience.

> On 10 Apr 2021, at 10:24, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> =EF=BB=BFAnd *BOOM* goes the dynamite... m(
>=20
>> An issue has been discovered in the Linux kernel that can be abused by
>> unprivileged local users to escalate privileges.
>>=20
>> The issue is with how BPF JIT compilers for some architectures compute
>> branch displacements when generating machine code. This can be abused
>> to craft anomalous machine code and execute it in the Kernel mode,
>> where the control flow is hijacked to execute unsafe code.
>>=20
>> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
>> shellcode execution in Kernel mode by unprivileged local users.
>>=20
>> One of these PoCs has been shared privately with <security(a)kernel.org>
>> to assist with fix development.
>>=20
>> Patches to mitigate the issue for x86-64 and x86-32 architectures are
>> available. These patches do not attempt to correct the underlying
>> algorithm and instead assert that all computations were performed
>> correctly, such that all unsafe inputs are rejected.
>>=20
>> The patches were published via BPF subsystem public git repository:
>> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=3D=
e4d4d456436bfb2fe412ee2cd489f7658449b098
>> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=3D=
26f55a59dc65ff77cd1c4b37991e26497fc68049
>>=20
>> # Discoverer
>>=20
>> Piotr Krysiuk <piotras(a)gmail.com>
>>=20
>> # References
>>=20
>> CVE-2021-29154 (reserved via https://cveform.mitre.org/)

--===============7449409894478317703==--