Another vulnerability has been identified in the eBPF subsystem (there is no CVE), like yesterday’s problem that allows a local unprivileged user to execute code at the Linux kernel level. The problem has been appearing since Linux kernel 5.8 and remains unfixed. A working exploit is promised to be published on January 18th.
The new vulnerability is caused by incorrect verification of eBPF programs transmitted for execution. In particular, the eBPF verifier did not properly restrict some types of *_OR_NULL pointers, which made it possible to manipulate pointers from eBPF programs and achieve an increase in their privileges. To block exploitation of the vulnerability, it is proposed to prohibit the execution of BPF programs by unprivileged users with the command “sysctl -w kernel.unprivileged_bpf_disabled=1”.
Source: opennet.ru