CVE-2021-3489

Summary

The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux kerneltrunk < v5.13-rc4affected
LinuxLinux kernellinux-5.12.y < v5.12.4affected
LinuxLinux kernellinux-5.11.y < v5.11.21affected
LinuxLinux kernellinux-5.10.y < v5.10.37affected
LinuxLinux kernelv5.8 < 5.8*affected

Weaknesses

  • CWE-119: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-787: CWE-787 Out-of-bounds Write

ADP Enrichment

CVE Program Container

Additional References

References