Vulnerabilities In The Linux Kernels BPF Virtual Machine Lets Any Local User Run Kernel-Level Code


Tux.png

A new Linux kernel vulnerability identified as CVE-2021-29154 allows regular unprivileged system users on any modern GNU/Linux users to run code in kernel-mode. Proof of concept exploit code exists. The vulnerability is present up to and including Linux 5.11.12, the Linux kernel developers have yet to release a safe version. A patch and workarounds do exist.

written by 윤채경 (Yoon Chae-kyung)  2021-04-09 - last edited 2021-04-09. © CC BY

Bpf jit comp.jpg
The vulnerable Linux kernel code in question: arch/x86/net/bpf_jit_comp.c from Linux 5.11.12.

The Linux kernel has a built-in virtual machine called the extended Berkeley Packet Filter (eBPF). It was primarily intended for firewall-related purposes, but it has become much more than that. It is, in essence, a simple general-purpose virtual machine within the Linux kernel.

It turns out that the Linux kernels eBPF virtual machine can be tricked into running code it shouldn't due to the way BPF JIT compilers for some architectures compute branch displacements when generating machine code. It is possible to create specially crafted machine code that is executed in kernel mode, thus allowing attackers to execute all sorts of malicious code in kernel mode.

Piotr Krysiuk has developed Proof Of Concept exploit code and two loophole-closing patches for the Linux kernels BPF sub-system (patch1, patch2). The PoC code is not yet publicly available. The vulnerability is assigned CVE number CVE-2021-29154.

There are two simple work-arounds that will work fine for most Linux users:

echo 0 > /proc/sys/net/core/bpf_jit_enable

or

echo 'kernel.unprivileged_bpf_disabled=1' > /etc/sysctl.d/98-disable-bpf_jit.conf
sysctl --system

The first of these workarounds disable the BPF JIT engine. The second disables unprivileged access to the bpf () syscall entirely. No access, no problem.

The Linux kernel developers have yet to release new updated Linux versions without this vulnerability. The latest Linux 5.11.12 kernel is vulnerable. We recommend that administers of systems where random users have access disable BPF for regular users unless it is actually needed for some reason. It's likely not. Regular hobbyist users should do the same, though there is far less reason to worry or care if you are a Linux desktop user and you are the only one with a user-account on your machine.

(0 votes)