CVE-2020-8835

Description

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 23.27%• Percentile: 96%

Techniques & Countermeasures

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

• canonical•ubuntu_linux

  18.04 | 19.10

• fedoraproject•fedora

  30 | 31 | 32

• linux kernel•linux kernel

  ≥ 5.6-stable, < 5.6.1 | ≥ 5.5-stable, < 5.5.14 | ≥ 5.4.7, < 5.4-stable*

• linux•linux_kernel

  ≥ 5.4.7, < 5.4.29 | ≥ 5.5.0, < 5.5.14 | ≥ 5.6, < 5.6.1

• netapp•8300_firmware

  na

• netapp•8700_firmware

  na

• netapp•a220_firmware

  na

• netapp•a320_firmware

  na

• netapp•a400_firmware

  na

• netapp•a700s_firmware

  na

• netapp•a800_firmware

  na

• netapp•c190_firmware

  na

• netapp•cloud_backup

  na

• netapp•fas2720_firmware

  na

• netapp•fas2750_firmware

  na

• netapp•h300e

  na

• netapp•h300s_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e

  na

• netapp•h500s_firmware

  na

• netapp•h610c_firmware

  na

• netapp•h610s_firmware

  na

• netapp•h615c_firmware

  na

• netapp•h700e

  na

• netapp•h700s_firmware

  na

• netapp•hci_management_node

  na

• netapp•solidfire

  na

• netapp•steelstore_cloud_integrated_storage

  na

References (12)

• https://usn.ubuntu.com/4313-1/
• https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
• https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/
• https://www.openwall.com/lists/oss-security/2020/03/30/3
• https://usn.ubuntu.com/usn/usn-4313-1
• https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
• https://security.netapp.com/advisory/ntap-20200430-0004/
• http://www.openwall.com/lists/oss-security/2021/07/20/1