CVE-2021-3490 in Linux
Summary
by MITRE • 06/04/2021
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/07/2021
The vulnerability identified as CVE-2021-3490 represents a critical flaw in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem that specifically affects the ALU32 bounds tracking mechanism for bitwise operations. This issue resides within the kernel's verifier component responsible for ensuring the safety and correctness of eBPF programs before execution. The vulnerability stems from improper handling of 32-bit bounds tracking during bitwise operations including AND, OR, and XOR operations, creating a scenario where bounds information becomes stale or incorrectly maintained throughout program execution.
The technical flaw manifests when the kernel's eBPF verifier fails to properly update 32-bit bounds information during bitwise operations, leading to potential out-of-bounds memory access conditions. This occurs because the verifier's bounds tracking system does not correctly account for how bitwise operations affect the range of possible values that registers can hold, particularly when dealing with 32-bit subregisters. The vulnerability specifically impacts the kernel's handling of constant subregister bounds tracking, where the system incorrectly assumes that certain operations preserve bounds when they actually do not. This improper tracking creates a path where malicious eBPF programs could manipulate register values to access memory locations outside their intended bounds, effectively bypassing kernel memory protection mechanisms.
The operational impact of this vulnerability extends beyond simple memory corruption, as it provides a pathway for arbitrary code execution within the kernel space. An attacker who can execute eBPF programs with sufficient privileges could leverage this flaw to perform out-of-bounds reads and writes, potentially allowing them to access sensitive kernel memory regions, modify critical data structures, or even escalate privileges to full root access. The vulnerability is particularly concerning because eBPF programs can be loaded by users with appropriate capabilities, and the flaw exists in the kernel's verification logic rather than in user-space applications. This creates a scenario where legitimate kernel functionality could be exploited to gain unauthorized access to kernel memory, making it a serious threat to system integrity and security.
The vulnerability was addressed through targeted commits that specifically corrected the bounds tracking logic for ALU32 operations. The primary fix was implemented in commit 049c4e13714e which corrected the handling of constant subregister bound tracking during bitwise operations. The issue was introduced in earlier kernel versions through two separate commits, with the AND/OR operations being affected by commit 3f50f132d840 and the XOR variant by commit 2921c90d4718. These fixes were backported to multiple stable kernel releases including v5.12.4, v5.11.21, and v5.10.37, demonstrating the severity of the issue. The vulnerability aligns with CWE-129 and CWE-787, which relate to improper bounds checking and out-of-bounds read/write conditions. From an ATT&CK perspective, this vulnerability maps to T1059.007 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) as it provides a mechanism for privilege escalation through kernel exploitation. Organizations should ensure their systems are updated to kernel versions containing the appropriate fixes, particularly since eBPF is widely used for network filtering, system monitoring, and security enforcement across Linux distributions. The vulnerability underscores the importance of rigorous bounds checking in kernel-level code and demonstrates how seemingly minor verification logic flaws can have catastrophic security implications, particularly in systems that handle privileged operations and memory management.