blob: 5bad91b9d177d030bdc2b706368fc31e47ba7cf4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Description: enforcing incorrect limits for pointer arithmetic operations by BPF verifier can be abused to perform out-of-bounds reads and writes in kernel memory
References:
https://www.openwall.com/lists/oss-security/2021/05/27/1
https://lore.kernel.org/stable/20210528103810.22025-1-ovidiu.panait@windriver.com/
Notes:
carnil> Introduced by 7fedb63a8307 ("bpf: Tighten speculative pointer
carnil> arithmetic mask") in 5.12-rc8 (and backported to 5.11.17,
carnil> 5.10.33, 5.4.116). Note though that 7fedb63a8307 is part of the
carnil> fixes needed to address CVE-2021-29155 which introduces the
carnil> buggy computation.
carnil> Those commits were included in 4.19.193 with the fixes for
carnil> CVE-2021-29155 and so not introducing CVE-2021-33200 in any of
carnil> the released v4.19.y versions. Thus keeping the entry here as
carnil> "N/A".
Bugs:
upstream: released (5.13-rc4) [3d0220f6861d713213b015b582e9f21e5b28d2e0, bb01a1bba579b4b1c5566af24d95f1767859771e, a7036191277f9fa68d92f2071ddc38c09b1e5ee5]
5.10-upstream-stable: released (5.10.41) [4e2c7b297431457663a90d4186e666b61d5da86c, c87ef240a8bbbda5913fac1e84209d224c1aaf50, 27acfd11ba179b746f55077edf9750f8f7cb1cb6]
4.19-upstream-stable: N/A "Vulnerable code introduced later"
4.9-upstream-stable: N/A "Vulnerable code introduced later"
sid: released (5.10.40-1) [bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch, bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch, bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch]
4.19-buster-security: N/A "Vulnerable code introduced later"
4.9-stretch-security: N/A "Vulnerable code introduced later"
|