Hi!

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.

mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

I took a look into this. Apparently 4.14 and 4.19 is affected. (
https://seclists.org/oss-sec/2021/q2/228 )

Due to BPF 32-bit subregister requirements (see bpf_design_QA.rst)
top 32 bits should be always zero when the 32 bit registers are in
use. So it could be possible to use BPF_JMP instead of BPF_JMP32.

Hmm, no; that is what original code did and what is known not to work
for reasons I don't fully understand.

Anyway, I asked on the lists, and according to Thadeu Lima de Souza
Cascardo Ubuntu did some work on it and is likely to do some more.

Oh, and we may want watch CVE-2021-3444, it is apparently related and
not yet fixed in 4.19.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany