*** This bug is a security vulnerability ***

Public security bug reported:

[Impact]

Per Jann Horn, "Upstream commit dd066823db2ac4e22f721ec85190817b58059a54
("bpf/verifier: disallow pointer subtraction") fixes a security bug
(kernel pointer leak to unprivileged userspace)."

https://lore.kernel.org/netdev/CAG48ez1=zogmdsue38hkg73ea4en+5qotltmzme+pgcthhw...@mail.gmail.com/

[Test Case]

Run the "check subtraction on pointers for unpriv" test from
tools/testing/selftests/bpf/test_verifier.c. The test should pass if the
bug is fixed, fail otherwise.

[Regression Potential]

The change could cause a regression in an unprivileged process that is
using eBPF. I suspect that this is unlikely. The alternative is to leave
a potential security hole open.

** Affects: linux (Ubuntu)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: Fix Released

** Affects: linux (Ubuntu Bionic)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: In Progress

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
       Status: In Progress => Fix Released

** Changed in: linux (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: linux (Ubuntu Bionic)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: linux (Ubuntu Bionic)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1815259

Title:
  BPF: kernel pointer leak to unprivileged userspace

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Bionic:
  In Progress

Bug description:
  [Impact]

  Per Jann Horn, "Upstream commit dd066823db2ac4e22f721ec85190817b58059a54
  ("bpf/verifier: disallow pointer subtraction") fixes a security bug
  (kernel pointer leak to unprivileged userspace)."

  
https://lore.kernel.org/netdev/CAG48ez1=zogmdsue38hkg73ea4en+5qotltmzme+pgcthhw...@mail.gmail.com/

  [Test Case]

  Run the "check subtraction on pointers for unpriv" test from
  tools/testing/selftests/bpf/test_verifier.c. The test should pass if
  the bug is fixed, fail otherwise.

  [Regression Potential]

  The change could cause a regression in an unprivileged process that is
  using eBPF. I suspect that this is unlikely. The alternative is to
  leave a potential security hole open.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1815259/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to