OOB write on BPF_RINGBUF

Bug #1956585 reported by Thadeu Lima de Souza Cascardo
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

tr3e wang discovered that an OOB write existed in the eBPF subsystem in the Linux kernel on BPF_RINGBUF.

Mitigation commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=53fb7741ff9d546174dbb585957b4f8b6afbdb83

Mitigation:

Disable unprivileged ebpf with:

  $ sudo sysctl kernel.unprivileged_bpf_disabled=1

Unprivileged ebpf is disabled by default in Ubuntu 21.10 and newer. See https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled for details on the configuration setting.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-25.26

---------------
linux (5.13.0-25.26) impish; urgency=medium

  * amdgpu hangs for 90 seconds at a time in 5.13.0-23, but 5.13.0-22 works
    (LP: #1956401)
    - drm/amdkfd: fix boot failure when iommu is disabled in Picasso.

  * OOB write on BPF_RINGBUF (LP: #1956585)
    - SAUCE: bpf: prevent helper argument PTR_TO_ALLOC_MEM to have offset other
      than 0

 -- Kleber Sacilotto de Souza <email address hidden> Fri, 07 Jan 2022 16:16:40 +0100

Changed in linux (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie)
information type: Private Security → Public Security
description: updated
Steve Beattie (sbeattie)
description: updated
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was assigned CVE-2021-4204.

Revision history for this message
Nguyen Dinh Tu (tund3010) wrote :

I applied 'sudo sysctl kernel.unprivileged_bpf_disabled=1'

But it is still failed while install 'sudo apt install linux-image-5.11.0-46-generic'

dpkg: error processing archive /var/cache/apt/archives/linux-image-5.11.0-46-generic_5.11.0-46.51~20.04.1_amd64.deb (--unpack):
 unable to open '/boot/vmlinuz-5.11.0-46-generic.dpkg-new': Operation not permitted

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Nguyen, do you have any antivirus tools installed? That's the usual cause of errors like this.

Thanks

Revision history for this message
Nguyen Dinh Tu (tund3010) wrote :

Hello Seth,

Yes I've just installed McAfee antivirus. So should I remove antivirus tool?

Thank you,
Tu

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Yes, hopefully you can do that without resorting to a rescue image. Booting with `init=/bin/bash` may help if you can't uninstall it gently.

Thanks

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gcp-5.13/5.13.0-1013.16~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote : [linux-aws-5.11/focal] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for focal for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers