CVE-2021-41864 Overview
CVE-2021-41864 is an integer overflow vulnerability in the Linux kernel's eBPF subsystem, specifically within the prealloc_elems_and_freelist function in kernel/bpf/stackmap.c. This vulnerability affects Linux kernel versions prior to 5.14.12 and allows unprivileged users to trigger an eBPF multiplication integer overflow, resulting in an out-of-bounds write condition that could lead to privilege escalation or arbitrary code execution.
Critical Impact
Unprivileged local users can exploit this integer overflow to achieve out-of-bounds memory writes, potentially leading to kernel-level privilege escalation and full system compromise.
Affected Products
- Linux Kernel (versions before 5.14.12)
- Fedora 33, 34, and 35
- Debian Linux 9.0 and 10.0
- NetApp Cloud Backup
- NetApp HCI Management Node
- NetApp SolidFire
- NetApp H-Series Firmware (H410C, H300S, H500S, H700S, H300E, H500E, H700E, H410S)
- NetApp SolidFire Baseboard Management Controller
Discovery Timeline
- October 2, 2021 - CVE-2021-41864 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-41864
Vulnerability Analysis
The vulnerability resides in the prealloc_elems_and_freelist() function within the BPF stack map implementation. This function is responsible for pre-allocating elements and managing the freelist for BPF stack maps. The core issue stems from an arithmetic operation where the element size calculation uses a 32-bit unsigned integer (u32) to store the result of a multiplication that can exceed 32-bit bounds.
When computing the total allocation size by multiplying elem_size with smap->map.max_entries, the intermediate result can overflow the 32-bit integer boundary. This overflow causes a significantly smaller memory region to be allocated than what the kernel believes it has, creating a classic heap-based out-of-bounds write scenario when subsequent operations write beyond the allocated buffer.
Root Cause
The root cause is a type mismatch in the element size calculation. The vulnerable code declares elem_size as a u32 (32-bit unsigned integer):
u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
When smap->map.value_size is a large user-controlled value, the subsequent multiplication with max_entries during memory allocation can wrap around, resulting in a much smaller allocation than intended. This is classified as CWE-190 (Integer Overflow or Wraparound).
Attack Vector
The attack vector requires local access to the system. An unprivileged user with access to the BPF subsystem can craft a malicious BPF program that creates a stack map with carefully chosen value_size and max_entries parameters designed to trigger the integer overflow. The attacker manipulates these values to cause the allocation function to allocate a small buffer while the kernel believes it has allocated a much larger one. Subsequent writes to this buffer exceed its boundaries, potentially corrupting adjacent kernel memory structures and enabling privilege escalation.
// Security patch - Source: kernel/bpf/stackmap.c
// Before the fix, elem_size was declared as u32, causing potential overflow
static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
{
- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
+ u64 elem_size = sizeof(struct stack_map_bucket) +
+ (u64)smap->map.value_size;
int err;
smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
Source: Linux Kernel Commit
The fix changes the elem_size variable from u32 to u64 and explicitly casts smap->map.value_size to u64 before the addition, ensuring the calculation uses 64-bit arithmetic and preventing the overflow condition.
Detection Methods for CVE-2021-41864
Indicators of Compromise
- Unusual BPF program loading activity by unprivileged users
- Kernel crashes or panics related to memory corruption in BPF subsystem
- Unexpected privilege escalation events following BPF-related system calls
- Abnormal memory allocation patterns in kernel logs referencing stackmap.c
Detection Strategies
- Monitor bpf() system calls for suspicious stack map creation with abnormally large value_size or max_entries parameters
- Deploy kernel integrity monitoring tools to detect unauthorized kernel memory modifications
- Enable and analyze auditd rules for BPF-related syscalls (bpf, perf_event_open)
- Utilize SIEM correlation rules to identify patterns of BPF activity followed by privilege changes
Monitoring Recommendations
- Enable kernel BPF audit logging via kernel.bpf_stats_enabled sysctl parameter
- Implement real-time monitoring of /sys/kernel/debug/tracing/trace_pipe for BPF-related events
- Configure alerting for kernel oops or panics mentioning bpf_stack_map or prealloc_elems
- Deploy endpoint detection solutions capable of monitoring kernel-level memory operations
How to Mitigate CVE-2021-41864
Immediate Actions Required
- Upgrade the Linux kernel to version 5.14.12 or later immediately
- Apply vendor-specific security patches from Debian, Fedora, or NetApp as applicable
- Restrict unprivileged BPF access by setting kernel.unprivileged_bpf_disabled=1
- Audit systems for signs of exploitation prior to patching
Patch Information
The vulnerability was addressed in Linux kernel version 5.14.12. The fix modifies the prealloc_elems_and_freelist() function to use 64-bit arithmetic for the element size calculation, preventing the integer overflow. The patch is available through the Linux Kernel ChangeLog 5.14.12 and the specific commit can be reviewed at the BPF Git Repository.
Distribution-specific patches are available:
Workarounds
- Disable unprivileged BPF by setting the sysctl parameter kernel.unprivileged_bpf_disabled=1
- Implement seccomp filters to restrict bpf() syscall access for untrusted processes
- Use SELinux or AppArmor policies to limit BPF capabilities to authorized services only
- Consider network segmentation to limit access to systems running vulnerable kernel versions
# Disable unprivileged BPF access as a temporary mitigation
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.d/99-bpf-hardening.conf
sysctl -p /etc/sysctl.d/99-bpf-hardening.conf
# Verify the setting is applied
sysctl kernel.unprivileged_bpf_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
