A vulnerability (CVE-2021-4204) has been identified in the eBPF subsystem, which allows running handlers inside the Linux kernel in a special virtual machine with JIT, that allows a local unprivileged user to achieve privilege escalation and execution of their code at the level of the Linux kernel. The problem has been manifesting since the Linux 5.8 kernel and remains unfixed (including release 5.16). The status of the generation of updates with the elimination of the problem in distributions can be tracked on these pages: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. The creation of a working exploit is announced, which is planned to be published on January 18 (users and developers have been given a week to fix the vulnerability).
The vulnerability is caused by incorrect checking of eBPF programs submitted for execution. The eBPF subsystem provides auxiliary functions, the correctness of which is checked by a special verifier. Some functions require the value of PTR_TO_MEM to be passed as an argument, and to prevent possible buffer overflows, the verifier must know the size of the memory associated with the argument. For the bpf_ringbuf_submit and bpf_ringbuf_discard functions, data on the size of the transferred memory was not reported to the verifier, which could be used to overwrite memory areas outside the buffer boundary when executing specially crafted eBPF code.
To carry out an attack, the user must be able to load his BPF program, and many recent Linux distributions block this by default (including unprivileged access to eBPF is now prohibited by default in the kernel itself, starting with release 5.16). For example, the vulnerability can be exploited in the default configuration on Ubuntu 20.04 LTS, but in Ubuntu 22.04-dev, Debian 11, openSUSE 15.3, RHEL 8.5, SUSE 15-SP4, and Fedora 33 environments, it only appears if the administrator has set kernel.unprivileged_bpf_disabled to 0. As a workaround for blocking the vulnerability, you can disable the execution of BPF programs by unprivileged users with the "sysctl -w kernel.unprivileged_bpf_disabled=1" command.
Source: opennet.ru