Fwd: [oss-security] [CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1429 bytes --]

And *BOOM* goes the dynamite... m(

> An issue has been discovered in the Linux kernel that can be abused by
> unprivileged local users to escalate privileges.
> 
> The issue is with how BPF JIT compilers for some architectures compute
> branch displacements when generating machine code. This can be abused
> to craft anomalous machine code and execute it in the Kernel mode,
> where the control flow is hijacked to execute unsafe code.
> 
> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
> shellcode execution in Kernel mode by unprivileged local users.
> 
> One of these PoCs has been shared privately with <security(a)kernel.org>
> to assist with fix development.
> 
> Patches to mitigate the issue for x86-64 and x86-32 architectures are
> available. These patches do not attempt to correct the underlying
> algorithm and instead assert that all computations were performed
> correctly, such that all unsafe inputs are rejected.
> 
> The patches were published via BPF subsystem public git repository:
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=26f55a59dc65ff77cd1c4b37991e26497fc68049
> 
> # Discoverer
> 
> Piotr Krysiuk <piotras(a)gmail.com>
> 
> # References
> 
> CVE-2021-29154 (reserved via https://cveform.mitre.org/)