Issue metadata
Sign in to add a comment
|
CVE-2017-16995 CVE-2017-16996: Security: Arbitrary read/write in kernel due to eBPF verifier bugs |
||||||||||||||||||||||||
Issue descriptionSee https://bugs.chromium.org/p/project-zero/issues/detail?id=1454 Can be used for privilege escalation to kernel/root. I don't think we have CONFIG_BPF_SYSCALL enabled, so the exploit vector used in the report and POC https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c shouldn't work. Not sure about whether there are other eBPF uses, hopefully groeck@ will know more. Fix is coming in via the net tree per https://bugs.chromium.org/p/project-zero/issues/detail?id=1454#c7 Looks like something we would want to patch even though BPF is currently off just in case we decide to enable it at a later point.
,
Dec 22 2017
And here are a couple CVEs that got allocated: CVE-2017-16995 CVE-2017-16996
,
Dec 22 2017
,
Dec 22 2017
,
Dec 22 2017
As per description and #1, only v4.9+ are affected which are not shipping. Given that, we'll pull in the fixes through stable tree merges. Marking ExternalDependency for tracking.
,
Dec 22 2017
As far as I can tell, you cannot hit eBPF without the bpf(2) syscall. Guenter's approach SGTM.
,
Jan 2 2018
Will be fixed with merge of v4.14.10 ( crbug.com/798431 ). Marking as duplicate.
,
Jan 2 2018
#6: Lakitu has CONFIG_BPF_SYSCALL enabled.
,
Jan 2 2018
Yes, CONFIG_BPF_SYSCALL was recently enabled on lakitu per user request (though we don't allow unprivileged user to make bpf syscalls). Getting the patch through a 4.14 merge sounds good.
,
Apr 11 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mnissler@chromium.org
, Dec 22 2017