Vigil@nce - Linux kernel: denial of service via BPF JIT
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can define a malicious BPF filter to be compiled to
native code, in order to raise a fatal exception in the Linux
kernel and so trigger a denial of service.
Impacted products: Linux, Ubuntu
Severity: 1/4
Creation date: 23/06/2015
DESCRIPTION OF THE VULNERABILITY
The Linux kernel includes a packet filter from BSD. A rule set for
this filter may be compiled to native machine code, just before
running.
There is more than one way to translate a BPF instruction to x86
code, and these instructions have different lengths. So, the
compiler does several passes overs the code to adjust jump
instructions. However, some filters require more passes than the
allowed maximum. In this case, the produced code includes INT 3
instructions, used to call the debugger. This instruction is not
allowed in the kernel.
An attacker can therefore define a malicious BPF filter to be
compiled to native code, in order to raise a fatal exception in
the Linux kernel and so trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-BPF-JIT-17207