Ubuntu
linux package

s390x BPF JIT vulnerabilities

Bug #1943960 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
s390 BPF JIT vulnerabilities allow the eBPF verifier to be bypassed, leading to possible local privilege escalation.

[Mitigation]
Disable unprivileged eBPF.
sysctl -w kernel.unprivileged_bpf_disabled=1

[Potential regression]
BPF programs might execute incorrectly, affecting seccomp, socket filters, tracing and other BPF users.

Commits to address this are upstream in Linus' tree; they are:

  1511df6f5e9e ("s390/bpf: Fix branch shortening during codegen pass")
  6e61dc9da0b7 ("s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant")
  db7bee653859 ("s390/bpf: Fix optimizing out zero-extensions")

and have been applied to the 5.14, 5.4 , 4.19, and 4.4 stable branches.

See original description
Thadeu Lima de Souza Cascardo (cascardo)
summary: - CRD-2021-09-21
+ s390x BPF JIT vulnerabilities
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.11.0-36.40

---------------
linux (5.11.0-36.40) hirsute; urgency=medium

  * s390x BPF JIT vulnerabilities (LP: #1943960)
    - SAUCE: s390/bpf: Fix branch shortening during codegen pass
    - SAUCE: s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant
    - SAUCE: s390/bpf: Fix optimizing out zero-extensions

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 17 Sep 2021 12:17:08 -0300

Changed in linux (Ubuntu):
status: New → Fix Released
Thadeu Lima de Souza Cascardo (cascardo)
information type: Private Security → Public Security
Frank Heimes (fheimes)
tags: added: s390x
Changed in ubuntu-z-systems:
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Commits to address this are upstream in Linus' tree; they are:

  1511df6f5e9e ("s390/bpf: Fix branch shortening during codegen pass")
  6e61dc9da0b7 ("s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant")
  db7bee653859 ("s390/bpf: Fix optimizing out zero-extensions")

Steve Beattie (sbeattie)
description: updated
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-kvm/5.11.0-1017.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-hirsute
Stefan Bader (smb)
tags: added: kernel-cve-tracker
removed: verification-needed-hirsute
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.