Description: enforcing incorrect limits for pointer arithmetic operations by BPF verifier can be abused to perform out-of-bounds reads and writes in kernel memory
References:
 https://www.openwall.com/lists/oss-security/2021/05/27/1
 https://lore.kernel.org/stable/20210528103810.22025-1-ovidiu.panait@windriver.com/
Notes:
 carnil> Introduced by 7fedb63a8307 ("bpf: Tighten speculative pointer
 carnil> arithmetic mask") in 5.12-rc8 (and backported to 5.11.17,
 carnil> 5.10.33, 5.4.116). Note though that 7fedb63a8307 is part of the
 carnil> fixes needed to address CVE-2021-29155 which introduces the
 carnil> buggy computation.
 carnil> Those commits were included in 4.19.193 with the fixes for
 carnil> CVE-2021-29155 and so not introducing CVE-2021-33200 in any of
 carnil> the released v4.19.y versions. Thus keeping the entry here as
 carnil> "N/A".
Bugs:
upstream: released (5.13-rc4) [3d0220f6861d713213b015b582e9f21e5b28d2e0, bb01a1bba579b4b1c5566af24d95f1767859771e, a7036191277f9fa68d92f2071ddc38c09b1e5ee5]
5.10-upstream-stable: released (5.10.41) [4e2c7b297431457663a90d4186e666b61d5da86c, c87ef240a8bbbda5913fac1e84209d224c1aaf50, 27acfd11ba179b746f55077edf9750f8f7cb1cb6]
4.19-upstream-stable: N/A "Vulnerable code introduced later"
4.9-upstream-stable: N/A "Vulnerable code introduced later"
sid: released (5.10.40-1) [bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch, bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch, bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch]
4.19-buster-security: N/A "Vulnerable code introduced later"
4.9-stretch-security: N/A "Vulnerable code introduced later"