CVE-2020-8835 Overview
CVE-2020-8835 is an out-of-bounds read/write vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier component. The vulnerability exists in Linux kernel versions 5.5.0 and newer, where the BPF verifier (kernel/bpf/verifier.c) fails to properly restrict register bounds for 32-bit operations. This flaw enables attackers to perform out-of-bounds reads and writes in kernel memory, potentially leading to privilege escalation or information disclosure.
The vulnerability also affects the Linux 5.4 stable series starting with version 5.4.7, as the introducing commit was backported to that branch. This issue was tracked by the Zero Day Initiative as ZDI-CAN-10780 and was demonstrated at Pwn2Own 2020.
Critical Impact
Local attackers with the ability to load BPF programs can exploit this vulnerability to read and write arbitrary kernel memory, potentially achieving full system compromise through privilege escalation.
Affected Products
- Linux Kernel versions 5.5.0 to 5.5.13
- Linux Kernel versions 5.4.7 to 5.4.28
- Fedora 30, 31, and 32
- Canonical Ubuntu Linux 18.04 LTS and 19.10
- NetApp Cloud Backup, HCI Management Node, SolidFire, and various storage platforms
Discovery Timeline
- 2020-04-02 - CVE-2020-8835 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-8835
Vulnerability Analysis
The vulnerability resides in the Linux kernel's BPF verifier, which is responsible for validating BPF programs before they are executed in kernel space. The BPF subsystem allows user-space applications to run sandboxed programs within the kernel for tasks such as packet filtering, tracing, and performance monitoring.
The flaw occurs due to improper handling of 32-bit arithmetic operations during the verification process. When the BPF verifier performs bounds checking on registers involved in 32-bit operations, it fails to correctly track the upper and lower bounds of these registers. This miscalculation allows an attacker to craft a malicious BPF program that passes verification but actually operates outside its intended memory boundaries during execution.
The impact of this vulnerability is severe, as successful exploitation allows an attacker to read sensitive kernel memory contents or write arbitrary values to kernel memory locations. This can be leveraged to bypass security mechanisms, escalate privileges from an unprivileged user to root, or execute arbitrary code in kernel context.
Root Cause
The root cause stems from incorrect bounds tracking in the BPF verifier's 32-bit operation handling logic. When processing arithmetic operations on 32-bit register values, the verifier uses a scalar tracking mechanism to determine the possible range of values a register can hold. The vulnerability arises because the verifier incorrectly propagates bounds information during certain 32-bit ALU (Arithmetic Logic Unit) operations.
Specifically, the verifier fails to properly account for sign extension and truncation behavior when transitioning between 32-bit and 64-bit register operations. This allows an attacker to construct a sequence of BPF instructions that confuses the verifier's bounds tracking, resulting in a register being assigned an incorrect range that permits out-of-bounds memory access.
Attack Vector
The attack requires local access to the system with the ability to load BPF programs. On many Linux distributions, unprivileged BPF is enabled by default, allowing any local user to exploit this vulnerability. The attack proceeds as follows:
- The attacker crafts a malicious BPF program with carefully constructed 32-bit arithmetic operations
- The program manipulates register values to create a discrepancy between verified bounds and actual runtime values
- During verification, the BPF verifier incorrectly approves the program as safe
- When the program executes in kernel context, it performs out-of-bounds memory operations
- The attacker leverages these memory access primitives to read sensitive data or achieve code execution
The vulnerability was demonstrated at Pwn2Own 2020 for achieving local privilege escalation on Ubuntu Desktop, showcasing its real-world exploitability. For technical details on the exploitation techniques, refer to the Zero Day Initiative Blog.
Detection Methods for CVE-2020-8835
Indicators of Compromise
- Unusual BPF program loading activity from non-administrative users
- Kernel log messages indicating BPF verifier errors or warnings related to bounds checking
- Unexpected privilege changes or new root processes spawned from unprivileged accounts
- Audit logs showing bpf() system calls with suspicious program types or sizes
Detection Strategies
- Monitor for bpf() system calls using auditd rules: auditctl -a always,exit -F arch=b64 -S bpf
- Implement Seccomp profiles that restrict BPF system call access for untrusted applications
- Deploy kernel-level monitoring for BPF program loading events via perf or eBPF-based tools
- Review system logs for signs of exploitation attempts or privilege escalation indicators
Monitoring Recommendations
- Enable BPF-related kernel tracing to capture program loading and verification events
- Configure alerting for any kernel panic or oops messages related to BPF subsystem
- Implement file integrity monitoring on critical system binaries to detect post-exploitation modifications
- Use SentinelOne's behavioral AI to detect anomalous kernel-level activity patterns
How to Mitigate CVE-2020-8835
Immediate Actions Required
- Update affected Linux kernels to patched versions: 5.6.1, 5.5.14, or 5.4.29
- Disable unprivileged BPF access if not required: sysctl -w kernel.unprivileged_bpf_disabled=1
- Apply vendor-specific security patches from Fedora, Ubuntu, or NetApp as applicable
- Restrict BPF capabilities using Seccomp or AppArmor profiles for untrusted workloads
Patch Information
The Linux kernel developers released fixes in versions 5.6.1, 5.5.14, and 5.4.29. The patch corrects the bounds tracking logic in the BPF verifier to properly handle 32-bit arithmetic operations. The fix is available in the following commits:
Distribution-specific patches are available through:
Workarounds
- Set kernel.unprivileged_bpf_disabled=1 to prevent unprivileged users from loading BPF programs
- Use capability-based restrictions to limit CAP_BPF and CAP_SYS_ADMIN to trusted users only
- Deploy container runtime restrictions that block BPF access from untrusted containers
- Implement namespace isolation and Seccomp filtering for applications that don't require BPF functionality
# Disable unprivileged BPF access (recommended mitigation)
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
# Make persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
sysctl -p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
