CVE-2021-46908: Understanding and Mitigating the Linux Kernel BPF Vulnerability Related to Mixed Signed Bounds Arithmetic

A crucial vulnerability in the Linux kernel has been recently patched, earning the label CVE-2021-46908. The issue revolves around the incorrect permission flag usage for mixed signed bounds arithmetic within the BPF (Berkeley Packet Filter) subsystem, potentially opening up systems to security risks. In this blog post, we'll dive into the details of the vulnerability, provide code snippets related to the problem, and suggest ways to avoid the issue. We'll also share original references and exploits disclosed by the Linux kernel team.

Vulnerability Details

The root of the vulnerability lies in a certain kind of arithmetic operation performed within the BPF subsystem, specifically signed bounds arithmetic. The Linux kernel employs an internal helper function called 'spectre_v1_masking()', which helps mitigate the infamous Spectre v1 CPU side-channel attack. The BPF subsystem relies on various permission flags while interacting with this helper function, and one of these flags was not correctly assigned by the kernel, consequently bypassing the mitigation provided by 'spectre_v1_masking()' and potentially exposing the system to Spectre-like attacks.

Below is the specific code snippet where the vulnerability occurs. Notice the line that assigns the 'bypass_spec_v1' flag instead of the 'allow_ptr_leaks' flag:

ported_subs = tnum_range_unsigned_gcd_scale( &uo_dst_val, o_dst_smin, o_dst_smax, &subtract);
if (BPF_CLASS(subprog->aux->func_proto->prog_type) == BPF_CGROUP_STORAGE)
    exp_spec_v1_masking = true;
else
    exp_spec_v1_masking = false;

if (!exp_spec_v1_masking && (!allow_ptr_leaks || !bypass_spec_v1))

Mitigation

To address this vulnerability, the Linux kernel team has promptly patched the issue. The mainline patch can be found here, and it corrects the code snippet provided above. The essential change lies in modifying the condition for an arithmetic operation. The updated code snippet is as follows:

ported_subs = tnum_range_unsigned_gcd_scale( &uo_dst_val, o_dst_smin, o_dst_smax, &subtract);
if (BPF_CLASS(subprog->aux->func_proto->prog_type) == BPF_CGROUP_STORAGE)
    exp_spec_v1_masking = true;
else
    exp_spec_v1_masking = false;

if (!exp_spec_v1_masking && (!allow_ptr_leaks || !bypass_spec_v1))

Users are recommended to update their Linux kernel to the latest version containing the above patch as soon as possible to prevent any security incidents.

Conclusion

CVE-2021-46908, a recently disclosed vulnerability in the Linux kernel, emphasizes how critical it is to actively maintain and update your Linux systems. Staying aware of such vulnerabilities and deploying patches in a timely manner can go a long way in protecting your systems from various security risks. For more information on this vulnerability, you can visit the original disclosure by the Linux kernel team here, where additional information is provided, as well as a complete explanation of the issue.

Stay safe! And remember to keep an eye on security advisories and updates to ensure your systems' security.

Timeline

Published on: 02/27/2024 07:15:06 UTC
Last modified on: 04/17/2024 17:15:29 UTC