A vulnerability (CVE-2021-29154) has been identified in the eBPF subsystem, which allows you to run handlers for tracing, analyzing the operation of subsystems, and traffic management, running inside the Linux kernel in a special virtual machine with JIT, which allows a local user to achieve the execution of his code at the kernel level. The problem appears up to the release of 5.11.12 (inclusive) and has not yet been fixed in distributions (Debian, Ubuntu, RHEL, Fedora, SUSE, Arch). The fix is available as a patch.
According to the researchers who identified the vulnerability, they were able to develop a working prototype exploit for 32-bit and 64-bit x86 systems that can be used by an unprivileged user. At the same time, Red Hat notes that the severity of the problem depends on the availability of the eBPF system call to the user. For example, on RHEL and most other Linux distributions in the default configuration, the vulnerability can be exploited by enabling BPF JIT and having the user CAP_SYS_ADMIN rights. As a workaround, it is recommended to disable BPF JIT with the command: echo 0 > /proc/sys/net/core/bpf_jit_enable
The problem is caused by an error in calculating the offset for branch instructions during the generation of machine code by the JIT compiler. In particular, when generating branch instructions, it is not taken into account that the offset may change after passing through the optimization stage. This flaw can be used to generate anomalous machine code and execute them at the kernel level.
It is noteworthy that this is not the only recent vulnerability in the eBPF subsystem. At the end of March, two more vulnerabilities were identified in the kernel (CVE-2020-27170, CVE-2020-27171), which make it possible to use eBPF to bypass protection against Specter class vulnerabilities that allow determining the contents of kernel memory as a result of creating conditions for the speculative execution of certain operations . The Specter attack requires the presence in the privileged code of a certain sequence of commands, leading to the speculative execution of instructions. In eBPF, several ways have been found to generate such instructions through manipulation of BPF programs passed for execution.
Vulnerability CVE-2020-27170 is caused by the presence of pointer manipulations in the BPF verifier, which cause speculative operations of accessing an area outside the buffer boundaries. Vulnerability CVE-2020-27171 is associated with an integer arithmetic error (integer underflow) when working with pointers, leading to speculative access to out-of-buffer data. These issues have already been fixed in kernel releases 5.11.8, 5.10.25, 5.4.107, 4.19.182, and 4.14.227, and are included in kernel updates for most Linux distributions. Researchers have prepared a prototype exploit that allows an unprivileged user to extract data from the kernel memory.
Source: opennet.ru