Vigil@nce - Linux kernel: use after free via BPF_PROG_LOAD
July 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can force the usage of a freed memory area via
BPF_PROG_LOAD on the Linux kernel, in order to trigger a denial of
service, and possibly to run code with root privileges.
Impacted products: Fedora, Linux, openSUSE Leap, Ubuntu.
Severity: 2/4.
Creation date: 04/05/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be configured with:
– CONFIG_BPF_SYSCALL
– kernel.unprivileged_bpf_disabled to zero
However, in this case, an attacker can use bpf(BPF_PROG_LOAD), to
force the kernel to free a memory area before reusing it.
A local attacker can therefore force the usage of a freed memory
area via BPF_PROG_LOAD on the Linux kernel, in order to trigger a
denial of service, and possibly to run code with root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-use-after-free-via-BPF-PROG-
LOAD-19523