In the EBPF subsystem, which allows you to run handlers inside the Linux kernel in a special virtual machine with Jit, vulnerability ( CVE-2021-4204 ), which gives the opportunity to the local unprivileged user to achieve Enhance the privileges and performing their code at the Linux kernel level. The problem is manifested from the Linux 5.8 kernel and is still defective (affects the release of 5.16). The status of the formation of updates to eliminate the problem in distributions can be traced on the pages: Debian , RHEL , SUSE , Fedora , Ubuntu , Arch . Announced the creation of working exploit, which is planned to publish January 18 (users and developers are given week to eliminate vulnerability).
Vulnerability is caused by incorrect verification of transmitted EBPF programs. The EBPF subsystem provides auxiliary functions, the correctness of the use of which checks a special verifier. Some functions require the transfer of the PTR_TO_MEM value as an argument and to prevent possible overflows the verifier buffer should know the size of the memory argument. For the BPF_RINGBUF_SUBMIT and BPF_RINGBUF_DISCARD functions, data on the size of the transmitted memory was not reported to the verifier, which could be used to overwrite the areas of memory abroad when performing a specially decorated EBPF code.
To hold an attack, the user must be able to download its BPF program, and many fresh Linux distributions block such an opportunity (including unreasonable access to EBPF is now prohibited by default and in the core itself, starting from release 5.16). For example, a vulnerability can be operated in the default configuration in Ubuntu 20.04 LTS, but in Ubuntu 22.04-Dev environments, Debian 11 and Fedora 33 manifests itself if the administrator set the Kernel.unprivileged_BPF_DISABLED parameter to 0. As a workaround of blocking vulnerability, you can prohibit execution as a workaround path BPF programs from unprivileged users with the command “sysctl -w kernel.unprivileged_bpf_disabled = 1”.