From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Fwd: [oss-security] [CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode Date: Sat, 10 Apr 2021 11:24:22 +0200 Message-ID: <50fdffcf-7412-c9bf-724d-1e336a85127a@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7041529560774379163==" List-Id: --===============7041529560774379163== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable And *BOOM* goes the dynamite... m( > An issue has been discovered in the Linux kernel that can be abused by > unprivileged local users to escalate privileges. >=20 > The issue is with how BPF JIT compilers for some architectures compute > branch displacements when generating machine code. This can be abused > to craft anomalous machine code and execute it in the Kernel mode, > where the control flow is hijacked to execute unsafe code. >=20 > I developed PoCs for x86-64 and x86-32 architectures to demonstrate > shellcode execution in Kernel mode by unprivileged local users. >=20 > One of these PoCs has been shared privately with > to assist with fix development. >=20 > Patches to mitigate the issue for x86-64 and x86-32 architectures are > available. These patches do not attempt to correct the underlying > algorithm and instead assert that all computations were performed > correctly, such that all unsafe inputs are rejected. >=20 > The patches were published via BPF subsystem public git repository: > * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=3De= 4d4d456436bfb2fe412ee2cd489f7658449b098 > * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=3D2= 6f55a59dc65ff77cd1c4b37991e26497fc68049 >=20 > # Discoverer >=20 > Piotr Krysiuk >=20 > # References >=20 > CVE-2021-29154 (reserved via https://cveform.mitre.org/) --===============7041529560774379163==--