7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
Recent assessments:
space-r7 at August 30, 2021 10:29pm UTC reported:
This vulnerability occurs due to a flaw in calculating safe bounds while performing arithmetic involving a pointer and a scalar when the scalar’s actual value is not known. The verifier calculates a minimum and maximum value (for both signed and unsigned numbers) that can be safely added / subtracted to / from the pointer to ensure that out-of-bounds memory is not accessed. Additionally, the verifier uses the var_off
bound to represent what it knows about the current state of the register that the bound is for. The __reg_bound_offset32()
function was added in order to update bounds specifically when 32-bit conditionals are performed; however, the technique used to calculate and update bounds can result in bounds that are less than the actual value of the register, meaning that the verifier can be tricked into allowing out-of-bounds reads and writes after all.
I’m not well-versed in exploiting out-of-bounds writes on Linux, but based off of the blog post , triggering the vulnerability seems fairly straightforward at least. The vulnerability didn’t make it to many mainline distro releases, so I reduced the exploitability rating a bit. In the rare chance that you are running a kernel version vulnerable to this, definitely prioritize this and patch your system.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3
www.openwall.com/lists/oss-security/2021/07/20/1
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835
git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
lists.fedoraproject.org/archives/list/[email protected]/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD
lists.fedoraproject.org/archives/list/[email protected]/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
lists.fedoraproject.org/archives/list/[email protected]/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD
lists.fedoraproject.org/archives/list/[email protected]/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
lists.fedoraproject.org/archives/list/[email protected]/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG
lists.fedoraproject.org/archives/list/[email protected]/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/
lore.kernel.org/bpf/[email protected]/T
lore.kernel.org/bpf/[email protected]/T/
security.netapp.com/advisory/ntap-20200430-0004
security.netapp.com/advisory/ntap-20200430-0004/
usn.ubuntu.com/4313-1
usn.ubuntu.com/4313-1/
usn.ubuntu.com/usn/usn-4313-1
www.openwall.com/lists/oss-security/2020/03/30/3
www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C