PublicDateAtUSN: 2020-03-30 16:00:00 UTC Candidate: CVE-2020-8835 CRD: 2020-03-30 16:00:00 UTC PublicDate: 2020-04-02 18:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835 https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/ https://www.openwall.com/lists/oss-security/2020/03/30/3 https://ubuntu.com/security/notices/USN-4313-1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef https://www.zerodayinitiative.com/advisories/ZDI-20-350/ Description: In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780) Ubuntu-Description: Manfred Paul discovered that the bpf verifier in the Linux kernel did not properly calculate register bounds for certain operations. A local attacker could use this to expose sensitive information (kernel memory) or gain administrative privileges. Notes: sbeattie> introduced by upstream commit 581738a681b6, which was mistakenly backported to upstream stable 5.4 kernel (b4de258dede528f88f401259aab3147fb6da1ddf). Ubuntu's 5.3 kernels are affected because 5.4 stable backport commits were pulled into Ubuntu's 5.3 kernels. Mitigation: Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 $ echo kernel.unprivileged_bpf_disabled=1 | \ sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf This issue is also mitigated on systems that use secure boot, thanks to the kernel lockdown feature which blocks BPF program loading. Bugs: Priority: high Discovered-by: Manfred Paul Assigned-to: kernel-sec CVSS: ubuntu: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H [7.8 HIGH] nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH] Patches_linux: break-fix: 581738a681b6faae5725c2555439189ca81c0f1f f2d67fec0b43edce8c416101cdc52e71145b5fef|local-2020-8835-fix upstream_linux: released (5.7~rc1) precise/esm_linux: not-affected (3.0.0-12.20) trusty_linux: ignored (out of standard support) trusty/esm_linux: not-affected (3.11.0-12.19) xenial_linux: not-affected (4.2.0-16.19) esm-infra/xenial_linux: not-affected (4.2.0-16.19) bionic_linux: not-affected (4.13.0-16.19) eoan_linux: released (5.3.0-45.37) focal_linux: not-affected (5.4.0-21.25) devel_linux: not-affected (5.4.0-26.30) Patches_linux-hwe: upstream_linux-hwe: released (5.7~rc1) precise/esm_linux-hwe: DNE trusty_linux-hwe: DNE trusty/esm_linux-hwe: DNE xenial_linux-hwe: not-affected (4.8.0-36.36~16.04.1) esm-infra/xenial_linux-hwe: not-affected (4.8.0-36.36~16.04.1) bionic_linux-hwe: released (5.3.0-45.37~18.04.1) eoan_linux-hwe: DNE focal_linux-hwe: DNE devel_linux-hwe: DNE Patches_linux-hwe-edge: upstream_linux-hwe-edge: released (5.7~rc1) precise/esm_linux-hwe-edge: DNE trusty_linux-hwe-edge: DNE trusty/esm_linux-hwe-edge: DNE xenial_linux-hwe-edge: not-affected esm-infra/xenial_linux-hwe-edge: not-affected bionic_linux-hwe-edge: ignored (was needs-triage now end-of-life) eoan_linux-hwe-edge: DNE focal_linux-hwe-edge: DNE devel_linux-hwe-edge: DNE Patches_linux-lts-xenial: upstream_linux-lts-xenial: released (5.7~rc1) precise/esm_linux-lts-xenial: DNE trusty_linux-lts-xenial: ignored (out of standard support) trusty/esm_linux-lts-xenial: not-affected (4.4.0-13.29~14.04.1) xenial_linux-lts-xenial: DNE bionic_linux-lts-xenial: DNE eoan_linux-lts-xenial: DNE focal_linux-lts-xenial: DNE devel_linux-lts-xenial: DNE Patches_linux-lts-trusty: upstream_linux-lts-trusty: released (5.7~rc1) precise/esm_linux-lts-trusty: not-affected (3.13.0-24.46~precise1) trusty_linux-lts-trusty: DNE trusty/esm_linux-lts-trusty: DNE xenial_linux-lts-trusty: DNE bionic_linux-lts-trusty: DNE eoan_linux-lts-trusty: DNE focal_linux-lts-trusty: DNE devel_linux-lts-trusty: DNE Patches_linux-oem: upstream_linux-oem: released (5.7~rc1) precise/esm_linux-oem: DNE trusty_linux-oem: DNE trusty/esm_linux-oem: DNE xenial_linux-oem: not-affected bionic_linux-oem: not-affected (4.15.0-1002.3) eoan_linux-oem: not-affected (4.15.0-1035.40) focal_linux-oem: DNE devel_linux-oem: DNE Patches_linux-oem-osp1: upstream_linux-oem-osp1: released (5.7~rc1) precise/esm_linux-oem-osp1: DNE trusty_linux-oem-osp1: DNE trusty/esm_linux-oem-osp1: DNE xenial_linux-oem-osp1: DNE bionic_linux-oem-osp1: not-affected (5.0.0-1010.11) eoan_linux-oem-osp1: not-affected (5.0.0-1010.11) focal_linux-oem-osp1: DNE devel_linux-oem-osp1: DNE Patches_linux-kvm: upstream_linux-kvm: released (5.7~rc1) precise/esm_linux-kvm: DNE trusty_linux-kvm: DNE trusty/esm_linux-kvm: DNE xenial_linux-kvm: not-affected (4.4.0-1004.9) esm-infra/xenial_linux-kvm: not-affected (4.4.0-1004.9) bionic_linux-kvm: not-affected (4.15.0-1002.2) eoan_linux-kvm: released (5.3.0-1014.15) focal_linux-kvm: not-affected (5.4.0-1006.6) devel_linux-kvm: not-affected (5.4.0-1009.9) Patches_linux-aws: upstream_linux-aws: released (5.7~rc1) precise/esm_linux-aws: DNE trusty_linux-aws: ignored (out of standard support) trusty/esm_linux-aws: not-affected (4.4.0-1002.2) xenial_linux-aws: not-affected (4.4.0-1001.10) esm-infra/xenial_linux-aws: not-affected (4.4.0-1001.10) bionic_linux-aws: not-affected (4.15.0-1001.1) eoan_linux-aws: released (5.3.0-1015.16) focal_linux-aws: not-affected (5.4.0-1007.7) devel_linux-aws: not-affected (5.4.0-1009.9) Patches_linux-aws-5.0: upstream_linux-aws-5.0: released (5.7~rc1) precise/esm_linux-aws-5.0: DNE trusty_linux-aws-5.0: DNE trusty/esm_linux-aws-5.0: DNE xenial_linux-aws-5.0: DNE bionic_linux-aws-5.0: not-affected eoan_linux-aws-5.0: DNE focal_linux-aws-5.0: DNE devel_linux-aws-5.0: DNE Patches_linux-aws-hwe: upstream_linux-aws-hwe: released (5.7~rc1) precise/esm_linux-aws-hwe: DNE trusty_linux-aws-hwe: DNE trusty/esm_linux-aws-hwe: DNE xenial_linux-aws-hwe: not-affected (4.15.0-1030.31~16.04.1) esm-infra/xenial_linux-aws-hwe: not-affected (4.15.0-1030.31~16.04.1) bionic_linux-aws-hwe: DNE eoan_linux-aws-hwe: DNE focal_linux-aws-hwe: DNE devel_linux-aws-hwe: DNE Patches_linux-azure: upstream_linux-azure: released (5.7~rc1) precise/esm_linux-azure: DNE trusty_linux-azure: ignored (out of standard support) trusty/esm_linux-azure: not-affected (4.15.0-1023.24~14.04.1) xenial_linux-azure: not-affected (4.11.0-1009.9) esm-infra/xenial_linux-azure: not-affected (4.11.0-1009.9) bionic_linux-azure: not-affected (4.15.0-1002.2) eoan_linux-azure: released (5.3.0-1018.19) focal_linux-azure: not-affected (5.4.0-1008.8) devel_linux-azure: not-affected (5.4.0-1010.10) Patches_linux-azure-5.3: upstream_linux-azure-5.3: released (5.7~rc1) precise/esm_linux-azure-5.3: DNE trusty_linux-azure-5.3: DNE trusty/esm_linux-azure-5.3: DNE xenial_linux-azure-5.3: DNE bionic_linux-azure-5.3: released (5.3.0-1018.19~18.04.1) eoan_linux-azure-5.3: DNE focal_linux-azure-5.3: DNE devel_linux-azure-5.3: DNE Patches_linux-azure-edge: upstream_linux-azure-edge: released (5.7~rc1) precise/esm_linux-azure-edge: DNE trusty_linux-azure-edge: DNE trusty/esm_linux-azure-edge: DNE xenial_linux-azure-edge: ignored (was needs-triage now end-of-life) bionic_linux-azure-edge: ignored (was needs-triage now end-of-life) eoan_linux-azure-edge: DNE focal_linux-azure-edge: DNE devel_linux-azure-edge: DNE Patches_linux-gcp: upstream_linux-gcp: released (5.7~rc1) precise/esm_linux-gcp: DNE trusty_linux-gcp: DNE trusty/esm_linux-gcp: DNE xenial_linux-gcp: not-affected (4.10.0-1004.4) esm-infra/xenial_linux-gcp: not-affected (4.10.0-1004.4) bionic_linux-gcp: not-affected (4.15.0-1001.1) eoan_linux-gcp: released (5.3.0-1016.17) focal_linux-gcp: not-affected (5.4.0-1007.7) devel_linux-gcp: not-affected (5.4.0-1009.9) Patches_linux-gcp-5.3: upstream_linux-gcp-5.3: released (5.7~rc1) precise/esm_linux-gcp-5.3: DNE trusty_linux-gcp-5.3: DNE trusty/esm_linux-gcp-5.3: DNE xenial_linux-gcp-5.3: DNE bionic_linux-gcp-5.3: released (5.3.0-1016.17~18.04.1) eoan_linux-gcp-5.3: DNE focal_linux-gcp-5.3: DNE devel_linux-gcp-5.3: DNE Patches_linux-gcp-edge: upstream_linux-gcp-edge: released (5.7~rc1) precise/esm_linux-gcp-edge: DNE trusty_linux-gcp-edge: DNE trusty/esm_linux-gcp-edge: DNE xenial_linux-gcp-edge: DNE bionic_linux-gcp-edge: ignored (was needs-triage now end-of-life) eoan_linux-gcp-edge: DNE focal_linux-gcp-edge: DNE devel_linux-gcp-edge: DNE Patches_linux-gke-4.15: upstream_linux-gke-4.15: released (5.7~rc1) precise/esm_linux-gke-4.15: DNE trusty_linux-gke-4.15: DNE trusty/esm_linux-gke-4.15: DNE xenial_linux-gke-4.15: DNE bionic_linux-gke-4.15: not-affected (4.15.0-1030.32) eoan_linux-gke-4.15: DNE focal_linux-gke-4.15: DNE devel_linux-gke-4.15: DNE Patches_linux-gke-5.0: upstream_linux-gke-5.0: released (5.7~rc1) precise/esm_linux-gke-5.0: DNE trusty_linux-gke-5.0: DNE trusty/esm_linux-gke-5.0: DNE xenial_linux-gke-5.0: DNE bionic_linux-gke-5.0: not-affected (5.0.0-1011.11~18.04.1) eoan_linux-gke-5.0: DNE focal_linux-gke-5.0: DNE devel_linux-gke-5.0: DNE Patches_linux-oracle: upstream_linux-oracle: released (5.7~rc1) precise/esm_linux-oracle: DNE trusty_linux-oracle: DNE trusty/esm_linux-oracle: DNE xenial_linux-oracle: not-affected (4.15.0-1007.9~16.04.1) esm-infra/xenial_linux-oracle: not-affected (4.15.0-1007.9~16.04.1) bionic_linux-oracle: not-affected (4.15.0-1007.9) eoan_linux-oracle: released (5.3.0-1013.14) focal_linux-oracle: not-affected (5.4.0-1007.7) devel_linux-oracle: not-affected (5.4.0-1009.9) Patches_linux-oracle-5.0: upstream_linux-oracle-5.0: released (5.7~rc1) precise/esm_linux-oracle-5.0: DNE trusty_linux-oracle-5.0: DNE trusty/esm_linux-oracle-5.0: DNE xenial_linux-oracle-5.0: DNE bionic_linux-oracle-5.0: not-affected (5.0.0-1007.12~18.04.1) eoan_linux-oracle-5.0: DNE focal_linux-oracle-5.0: DNE devel_linux-oracle-5.0: DNE Patches_linux-raspi2: upstream_linux-raspi2: released (5.7~rc1) precise/esm_linux-raspi2: DNE trusty_linux-raspi2: DNE trusty/esm_linux-raspi2: DNE xenial_linux-raspi2: not-affected (4.2.0-1013.19) bionic_linux-raspi2: not-affected (4.13.0-1005.5) eoan_linux-raspi2: released (5.3.0-1021.23) focal_linux-raspi2: ignored (was needs-triage now end-of-life) devel_linux-raspi2: ignored (was needs-triage now end-of-life) Patches_linux-snapdragon: upstream_linux-snapdragon: released (5.7~rc1) precise/esm_linux-snapdragon: DNE trusty_linux-snapdragon: DNE trusty/esm_linux-snapdragon: DNE xenial_linux-snapdragon: not-affected (4.4.0-1012.12) bionic_linux-snapdragon: not-affected (4.4.0-1077.82) eoan_linux-snapdragon: DNE focal_linux-snapdragon: DNE devel_linux-snapdragon: DNE Patches_linux-raspi2-5.3: upstream_linux-raspi2-5.3: released (5.7~rc1) precise/esm_linux-raspi2-5.3: DNE trusty_linux-raspi2-5.3: DNE trusty/esm_linux-raspi2-5.3: DNE xenial_linux-raspi2-5.3: DNE bionic_linux-raspi2-5.3: released (5.3.0-1021.23~18.04.1) eoan_linux-raspi2-5.3: DNE focal_linux-raspi2-5.3: DNE devel_linux-raspi2-5.3: DNE Patches_linux-oem-5.6: upstream_linux-oem-5.6: released (5.7~rc1) precise/esm_linux-oem-5.6: DNE trusty_linux-oem-5.6: DNE trusty/esm_linux-oem-5.6: DNE xenial_linux-oem-5.6: DNE bionic_linux-oem-5.6: DNE eoan_linux-oem-5.6: DNE focal_linux-oem-5.6: not-affected (5.6.0-1007.7) devel_linux-oem-5.6: not-affected (5.6.0-1007.7) Patches_linux-gke-5.3: upstream_linux-gke-5.3: released (5.7~rc1) precise/esm_linux-gke-5.3: DNE trusty_linux-gke-5.3: DNE trusty/esm_linux-gke-5.3: DNE xenial_linux-gke-5.3: DNE bionic_linux-gke-5.3: released (5.3.0-1016.17~18.04.1) eoan_linux-gke-5.3: DNE focal_linux-gke-5.3: DNE devel_linux-gke-5.3: DNE Patches_linux-oracle-5.3: upstream_linux-oracle-5.3: released (5.7~rc1) precise/esm_linux-oracle-5.3: DNE trusty_linux-oracle-5.3: DNE trusty/esm_linux-oracle-5.3: DNE xenial_linux-oracle-5.3: DNE bionic_linux-oracle-5.3: released (5.3.0-1013.14~18.04.1) eoan_linux-oracle-5.3: DNE focal_linux-oracle-5.3: DNE devel_linux-oracle-5.3: DNE