Vulnerabilities In The Linux Kernels BPF Virtual Machine Lets Any Local User Run Kernel-Level Code
A new Linux kernel vulnerability identified as CVE-2021-29154 allows regular unprivileged system users on any modern GNU/Linux users to run code in kernel-mode. Proof of concept exploit code exists. The vulnerability is present up to and including Linux 5.11.12, the Linux kernel developers have yet to release a safe version. A patch and workarounds do exist.
The Linux kernel has a built-in virtual machine called the extended Berkeley Packet Filter (eBPF). It was primarily intended for firewall-related purposes, but it has become much more than that. It is, in essence, a simple general-purpose virtual machine within the Linux kernel.
It turns out that the Linux kernels eBPF virtual machine can be tricked into running code it shouldn't due to the way BPF JIT compilers for some architectures, including x86-64, compute branch displacements when generating machine code. It is possible to create specially crafted machine code that is executed in kernel mode, thus allowing attackers to execute all sorts of malicious code in kernel mode.
Piotr Krysiuk, who discovered this vulnerability, has developed Proof Of Concept exploit code and two loophole-closing patches for the Linux kernels BPF sub-system (patch1, patch2). The PoC code is not yet publicly available. The vulnerability is assigned CVE number CVE-2021-29154.
There are two simple work-arounds that will work fine for most Linux users:
echo 0 > /proc/sys/net/core/bpf_jit_enable
echo 'kernel.unprivileged_bpf_disabled=1' > /etc/sysctl.d/98-disable-bpf_jit.conf sysctl --system
The first of these workarounds disables the BPF JIT engine. The second disables unprivileged access to the bpf () syscall entirely. No access, no problem.
This is not the first problem Piotr Krysiuk has identified in the Linux kernels BPF JIT engine. He previously discovered two other problems with it, CVE-2020-27170 and CVE-2020-27171, that where publicly disclosed in March this year. Those were fixed in Linux 5.11.8, 5.10.25, 5.4.107, 4.19.182, and 4.14.227.
The Linux kernel developers have yet to release new updated Linux versions without the latest CVE-2021-29154 vulnerability. The latest Linux 5.11.12 kernel is vulnerable. We recommend that administers of systems where random users have access disable BPF for regular users unless it is actually needed for some reason. It's likely not. Regular hobbyist users should do the same, though there is far less reason to worry or care if you are a Linux desktop user and you are the only one with a user-account on your machine.
The Russians know about the Linux kernels BPF JIT vulnerabilities.