blob: 72fdeb26be391ab2a2a2c7c42dbf7a7157c20e37 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Description: eBPF 32-bit source register truncation on div/mod
References:
https://www.openwall.com/lists/oss-security/2021/06/23/1
Notes:
carnil> Introduced by 68fda450a7df ("bpf: fix 32-bit divide by zero")
carnil> in 4.15-rc9 (and was backported to 4.9.79). Though the specifc
carnil> attack will not work on v4.9.y as pointer arithmetic is
carnil> prohibited on those kernels.
bwh> For 4.9, commits f6b1b3bf0d5f "bpf: fix subprog verifier bypass by
bwh> div/mod by 0 exception" and d405c7407a54 "bpf: allocate 0x06 to new
bwh> eBPF instruction class JMP32" etc. need to be applied first.
Bugs:
upstream: released (5.11) [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
5.10-upstream-stable: released (5.10.16) [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
4.19-upstream-stable: released (4.19.206) [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
4.9-upstream-stable: needed
sid: released (5.10.19-1)
5.10-bullseye-security: N/A "Fixed before branching point"
4.19-buster-security: released (4.19.208-1)
4.9-stretch-security: needed
|
