OOB write on BPF_RINGBUF

Bug #1956585 reported by Thadeu Lima de Souza Cascardo
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

tr3e wang discovered that an OOB write existed in the eBPF subsystem in the Linux kernel on BPF_RINGBUF.

Mitigation commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=53fb7741ff9d546174dbb585957b4f8b6afbdb83

Mitigation:

Disable unprivileged ebpf with:

  $ sudo sysctl kernel.unprivileged_bpf_disabled=1

Unprivileged ebpf is disabled by default in Ubuntu 21.10 and newer. See https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled for details on the configuration setting.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-25.26

---------------
linux (5.13.0-25.26) impish; urgency=medium

  * amdgpu hangs for 90 seconds at a time in 5.13.0-23, but 5.13.0-22 works
    (LP: #1956401)
    - drm/amdkfd: fix boot failure when iommu is disabled in Picasso.

  * OOB write on BPF_RINGBUF (LP: #1956585)
    - SAUCE: bpf: prevent helper argument PTR_TO_ALLOC_MEM to have offset other
      than 0

 -- Kleber Sacilotto de Souza <email address hidden> Fri, 07 Jan 2022 16:16:40 +0100

Changed in linux (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie)
information type: Private Security → Public Security
description: updated
Steve Beattie (sbeattie)
description: updated
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was assigned CVE-2021-4204.

Revision history for this message
Nguyen Dinh Tu (tund3010) wrote :

I applied 'sudo sysctl kernel.unprivileged_bpf_disabled=1'

But it is still failed while install 'sudo apt install linux-image-5.11.0-46-generic'

dpkg: error processing archive /var/cache/apt/archives/linux-image-5.11.0-46-generic_5.11.0-46.51~20.04.1_amd64.deb (--unpack):
 unable to open '/boot/vmlinuz-5.11.0-46-generic.dpkg-new': Operation not permitted

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Nguyen, do you have any antivirus tools installed? That's the usual cause of errors like this.

Thanks

Revision history for this message
Nguyen Dinh Tu (tund3010) wrote :

Hello Seth,

Yes I've just installed McAfee antivirus. So should I remove antivirus tool?

Thank you,
Tu

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Yes, hopefully you can do that without resorting to a rescue image. Booting with `init=/bin/bash` may help if you can't uninstall it gently.

Thanks

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers