An out of bounds memory read flaw was found in the Linux kernel’s implementation of the eBPF code verifier. A user passing corrupted data to a helper function could access data inside the adjust_ptr_min_max_vals() function. By default, the eBPF verifier is only accessible to users with CAP_SYS_ADMIN privileges. The lack of proper validation of user-supplied eBPF programs prior to execution is the cause of this issue which could lead to a local user’s ability to crash the system or possibly escalate their privileges on the system.

Mitigation

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.

For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF.