CLD-191 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-16995 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2017-12-25 13:52:09
Date Last Modified 2017-12-25 14:17:51

Version Specific Information:

Cucumber 1.0 i686fixed in linux-4.9.72-i686-1
Cucumber 1.0 x86_64fixed in linux-4.9.72-x86_64-1

Cucumber 1.1 i686 fixed in linux-4.9.72-i686-1
Cucumber 1.1 x86_64 fixed in linux-4.9.72-x86_64-1

Details:

=================================== Overview ===================================

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through
4.14.8 allows local users to cause a denial of service (memory corruption) or
possibly have unspecified other impact by leveraging incorrect sign extension. 

================================ Initial Report ================================

From the Linux Changelog
(https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.72):

commit 3695b3b18519099224efbc5875569d2cb6da256d
Author: Daniel Borkmann 
Date:   Fri Dec 22 16:29:05 2017 +0100

    bpf: fix incorrect sign extension in check_alu_op()
    
    
    From: Jann Horn 
    
    [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]
    
    Distinguish between
    BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
    and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
    only perform sign extension in the first case.
    
    Starting with v4.14, this is exploitable by unprivileged users as long as
    the unprivileged_bpf_disabled sysctl isn't set.
    
    Debian assigned CVE-2017-16995 for this issue.
    
    v3:
     - add CVE number (Ben Hutchings)
    
    Fixes: 484611357c19 ("bpf: allow access into map value arrays")
    Signed-off-by: Jann Horn 
    Acked-by: Edward Cree 
    Signed-off-by: Alexei Starovoitov 
    Signed-off-by: Daniel Borkmann 
    Signed-off-by: Greg Kroah-Hartman 

================================= Our Analysis =================================

----- Affected Products -----
Versions of the Linux Kernel 4.9 Series prior to 4.9.72 are vulnerable to this.
This includes the original versions of the Cucumber Linux 1.0 and 1.1 kernels.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows local users to cause a system wide denial of service
via memory consumption and possibly has other unspecified impacts.

----- Fix for this Vulnerability -----
This vulnerablility can be fixed by upgrading to version 4.9.72 of the Linux
kernel of applying the patch from the commit
3695b3b18519099224efbc5875569d2cb6da256d.

================================= Our Solution =================================

We have upgraded to Linux 4.9.72.