CVE-2020-8835

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Recent assessments:

space-r7 at August 30, 2021 10:29pm UTC reported:

This vulnerability occurs due to a flaw in calculating safe bounds while performing arithmetic involving a pointer and a scalar when the scalar’s actual value is not known. The verifier calculates a minimum and maximum value (for both signed and unsigned numbers) that can be safely added / subtracted to / from the pointer to ensure that out-of-bounds memory is not accessed. Additionally, the verifier uses the var_off bound to represent what it knows about the current state of the register that the bound is for. The __reg_bound_offset32() function was added in order to update bounds specifically when 32-bit conditionals are performed; however, the technique used to calculate and update bounds can result in bounds that are less than the actual value of the register, meaning that the verifier can be tricked into allowing out-of-bounds reads and writes after all.

I’m not well-versed in exploiting out-of-bounds writes on Linux, but based off of the blog post , triggering the vulnerability seems fairly straightforward at least. The vulnerability didn’t make it to many mainline distro releases, so I reduced the exploitability rating a bit. In the rare chance that you are running a kernel version vulnerable to this, definitely prioritize this and patch your system.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3