And *BOOM* goes the dynamite... m(

> An issue has been discovered in the Linux kernel that can be abused by
> unprivileged local users to escalate privileges.
> 
> The issue is with how BPF JIT compilers for some architectures compute
> branch displacements when generating machine code. This can be abused
> to craft anomalous machine code and execute it in the Kernel mode,
> where the control flow is hijacked to execute unsafe code.
> 
> I developed PoCs for x86-64 and x86-32 architectures to demonstrate
> shellcode execution in Kernel mode by unprivileged local users.
> 
> One of these PoCs has been shared privately with <security(a)kernel.org>
> to assist with fix development.
> 
> Patches to mitigate the issue for x86-64 and x86-32 architectures are
> available. These patches do not attempt to correct the underlying
> algorithm and instead assert that all computations were performed
> correctly, such that all unsafe inputs are rejected.
> 
> The patches were published via BPF subsystem public git repository:
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
> * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=26f55a59dc65ff77cd1c4b37991e26497fc68049
> 
> # Discoverer
> 
> Piotr Krysiuk <piotras(a)gmail.com>
> 
> # References
> 
> CVE-2021-29154 (reserved via https://cveform.mitre.org/)