The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1).
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
The product writes data past the end, or before the beginning, of the intended buffer.
| Link | Tags |
|---|---|
| https://www.openwall.com/lists/oss-security/2021/05/11/10 | third party advisory mailing list |
| https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea | patch vendor advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-21-590/ | vdb entry third party advisory |
| https://ubuntu.com/security/notices/USN-4950-1 | third party advisory vendor advisory |
| https://ubuntu.com/security/notices/USN-4949-1 | third party advisory vendor advisory |
| https://security.netapp.com/advisory/ntap-20210716-0004/ | third party advisory |