CVE-2020-8835: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel 5.5.0 and newer, a vulnerability was discovered in the bpf verifier (kernel/bpf/verifier.c) where it did not properly restrict the register bounds for 32-bit operations. This vulnerability (CVE-2020-8835) also affects the Linux 5.4 stable series starting with v5.4.7, as the introducing commit was backported to that branch. The issue was discovered by Manfred Paul during the Pwn2Own 2020 competition (ZDI Blog) and was fixed in kernel versions 5.6.1, 5.5.14, and 5.4.29 (NVD).

The vulnerability stems from incorrect handling of register bounds calculations in the BPF verifier. The issue was introduced by commit 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") which made incorrect range assumptions in the __reg_bound_offset32() implementation. This led to improper restrictions on register bounds for 32-bit operations, allowing out-of-bounds reads and writes in kernel memory (Kernel Commit). The vulnerability has a CVSS score of 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Ubuntu).

When successfully exploited, this vulnerability allows a local attacker to expose sensitive information (kernel memory) or gain administrative privileges. The vulnerability enables out-of-bounds reads and writes in kernel memory, which can be leveraged to escalate privileges from a standard user to root (Ubuntu USN).

The vulnerability can be mitigated by setting the kernel.unprivileged_bpf_disabled sysctl to 1. The issue is also mitigated on systems that use secure boot, thanks to the kernel lockdown feature which blocks BPF program loading. For a complete fix, systems should be updated to kernel versions 5.6.1, 5.5.14, or 5.4.29 depending on the kernel branch in use (Ubuntu).