BPF code can allow local privilege escalation (CVE-2021-29154)
Another vulnerability targeting the BPF subsystem has been disclosed publicly in the past few days (CVE-2021-29154). It allows users on a system running non-default configuration of the BPF subsystem to run specially crafted code as a BPF filter and run arbitrary executable code in the kernel context.
According to vendors, it affects all distributions running kernels up to version 5.11.12. Distribution vendors are starting to deliver patches through their update mechanisms, and KernelCare is also finalizing patches for it’s rebootless patching process to address this issue.
Because of the nature of the BPF functionality, which is to allow user code to interact with network packet processing within the kernel, there is a very big potential for attack given any weakness in the implementation. This specific functionality has been addressed recently in the specter mitigation code bug discussed here.
To be vulnerable, a system would have to be configured to allow BPF JIT compilation (for example, by setting “net.core.bpf_jit_enable = 1”). This is often the case in situations where regular users are doing work related to sockets’ manipulation or in seccomp (secure computing mode) environments where permissions are granted more granularly than normal.
The actual vulnerable code resides in arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c in the kernel source code tree. The flaw comes from the way branch displacement happens when the user code is compiled, by making wrong assumptions regarding the address of code during optimization.
Proper exploitation of this vulnerability could even lead to container or chroots’ escape, since the kernel is shared between them, and running code in the kernel context permits it to escape containerization limits.
As a stop-gap procedure, you can quickly disable BPF JIT by running:
# echo 0 > /proc/sys/net/core/bpf_jit_enable
which will persist until reversed or a system reboot happens. A more permanent removal can be achieved by using your distribution’s syscfg equivalent utility to set “net.core.bpf_jit_enable=0” at boot time. Of course, this type of solution solves the problem by disabling the functionality, which in itself is self-defeating. If you actually had your system configured to use BPF JIT, in all likelihood your use case needed that setting explicitly enabled, and you should rely instead on proper kernel patching, either through your distribution vendor’s patches or through KernelCare’s rebootless process.