CLD-191 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
linux |
Deficiency Type |
SECURITY |
Date Created |
2017-12-25 13:52:09 |
Date Last Modified |
2017-12-25 14:17:51 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in linux-4.9.72-i686-1 |
Cucumber 1.0 x86_64 | fixed in linux-4.9.72-x86_64-1 |
Cucumber 1.1 i686 |
fixed in linux-4.9.72-i686-1 |
Cucumber 1.1 x86_64 |
fixed in linux-4.9.72-x86_64-1 |
Details:
=================================== Overview ===================================
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through
4.14.8 allows local users to cause a denial of service (memory corruption) or
possibly have unspecified other impact by leveraging incorrect sign extension.
================================ Initial Report ================================
From the Linux Changelog
(https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.72):
commit 3695b3b18519099224efbc5875569d2cb6da256d
Author: Daniel Borkmann
Date: Fri Dec 22 16:29:05 2017 +0100
bpf: fix incorrect sign extension in check_alu_op()
From: Jann Horn
[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.
Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.
Debian assigned CVE-2017-16995 for this issue.
v3:
- add CVE number (Ben Hutchings)
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn
Acked-by: Edward Cree
Signed-off-by: Alexei Starovoitov
Signed-off-by: Daniel Borkmann
Signed-off-by: Greg Kroah-Hartman
================================= Our Analysis =================================
----- Affected Products -----
Versions of the Linux Kernel 4.9 Series prior to 4.9.72 are vulnerable to this.
This includes the original versions of the Cucumber Linux 1.0 and 1.1 kernels.
----- Scope and Impact of this Vulnerability -----
This vulnerability allows local users to cause a system wide denial of service
via memory consumption and possibly has other unspecified impacts.
----- Fix for this Vulnerability -----
This vulnerablility can be fixed by upgrading to version 4.9.72 of the Linux
kernel of applying the patch from the commit
3695b3b18519099224efbc5875569d2cb6da256d.
================================= Our Solution =================================
We have upgraded to Linux 4.9.72.