Ubuntu
linux package

Disable unprivileged BPF by default

Bug #1961338 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
High
Thadeu Lima de Souza Cascardo
Focal
Fix Released
High
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
Unprivileged users have access to BPF, allowing them to execute code in the kernel under their control. Though restricted and verified, a lot of security issues have been uncovered over the years, indicating that it should be disabled by default in order to protect our users.

Admins can reenable that access or give CAP_BPF to programs if needed.

[Test case]
A qa-regression-testing testcase has been added that checks for the ability to load BPF programs under different circumstances.

[Potential regression]
Users who rely on unprivileged BPF access will need to change the setting or give CAP_BPF to their programs. Also, sysctl and bpf code might be affected.

Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Changed in linux (Ubuntu Focal):
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
importance: Undecided → High
Changed in linux (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-104.118

---------------
linux (5.4.0-104.118) focal; urgency=medium

  * CVE-2022-23960
    - SAUCE: kvm: arm: fix build on 32-bit

linux (5.4.0-103.117) focal; urgency=medium

  * CVE-2022-23960
    - arm64: Add part number for Arm Cortex-A77
    - arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
    - arm64: Add Cortex-X2 CPU part definition
    - arm64: add ID_AA64ISAR2_EL1 sys register
    - SAUCE: arm64: entry.S: Add ventry overflow sanity checks
    - SAUCE: arm64: entry: Make the trampoline cleanup optional
    - SAUCE: arm64: entry: Free up another register on kpti's tramp_exit path
    - SAUCE: arm64: entry: Move the trampoline data page before the text page
    - SAUCE: arm64: entry: Allow tramp_alias to access symbols after the 4K
      boundary
    - SAUCE: arm64: entry: Don't assume tramp_vectors is the start of the vectors
    - SAUCE: arm64: entry: Move trampoline macros out of ifdef'd section
    - SAUCE: arm64: entry: Make the kpti trampoline's kpti sequence optional
    - SAUCE: arm64: entry: Allow the trampoline text to occupy multiple pages
    - SAUCE: arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations
    - SAUCE: arm64: entry: Add vectors that have the bhb mitigation sequences
    - SAUCE: arm64: entry: Add macro for reading symbol addresses from the
      trampoline
    - SAUCE: arm64: Add percpu vectors for EL1
    - SAUCE: arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of
      Spectre-v2
    - SAUCE: KVM: arm64: Add templates for BHB mitigation sequences
    - SAUCE: arm64: Mitigate spectre style branch history side channels
    - SAUCE: KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and
      migrated
    - SAUCE: arm64: Use the clearbhb instruction in mitigations
    - [Config]: set CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y

  * CVE-2022-25636
    - netfilter: nf_tables_offload: incorrect flow offload action array size

  * CVE-2022-0001
    - x86/speculation: Merge one test in spectre_v2_user_select_mitigation()
    - x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
    - SAUCE: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
    - SAUCE: x86/speculation: Add eIBRS + Retpoline options
    - SAUCE: Documentation/hw-vuln: Update spectre doc

  * Disable unprivileged BPF by default (LP: #1961338)
    - bpf: Add kconfig knob for disabling unpriv bpf by default
    - [Config] set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

 -- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 02 Mar 2022 14:10:18 -0300

Changed in linux (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-171.180

---------------
linux (4.15.0-171.180) bionic; urgency=medium

  * CVE-2022-0001
    - cpu/SMT: create and export cpu_smt_possible()
    - x86/speculation: Merge one test in spectre_v2_user_select_mitigation()
    - x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
    - SAUCE: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
    - SAUCE: x86/speculation: Add eIBRS + Retpoline options
    - SAUCE: Documentation/hw-vuln: Update spectre doc

  * Disable unprivileged BPF by default (LP: #1961338)
    - bpf: Add kconfig knob for disabling unpriv bpf by default
    - [Config] set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

 -- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 02 Mar 2022 13:21:15 -0300

Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Released
Thadeu Lima de Souza Cascardo (cascardo)
information type: Private Security → Public Security
Changed in linux (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : [linux-hwe-5.11/focal] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for focal for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1018.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Thadeu Lima de Souza Cascardo (cascardo)
tags: added: verification-done-focal
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.