Impact
What kind of vulnerability is it? Who is impacted?
It was discovered that Falco’s kernel module is affected by an integer overflow that can be triggered and lead to an out-of-bound (OOB) array access. That can happen while parsing buffers from userland. When this happens, the kernel module crashes, and it is no longer possible to trace any of the system calls. Although exploiting this issue beyond a crash is fairly unlikely, it is still considered high severity because an unprivileged process can issue this system call effectively crash the kernel module.
Only users using Falco versions before 0.18.0 with the kernel module.
Users using a Falco kernel module built from a revision of falcosecurity/libs before then commit 55b1cc8.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 55b1cc8 on Aug 6, 2019.
Users should upgrade to Falco 0.18.0 or later (which uses a Falco kernel module containing the above-mentioned commit).
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to Falco 0.18.0 or later is need.
References
Are there any links users can visit to find out more?
While parsing buffers from userland, an integer overflow can be triggered and leads to an out-of-bounds (OOB) array access. In turn, this crashes the kernel module and it is no longer possible to trace any of the system calls. This crash goes unnoticed by the userspace application (Falco) and requires a manual inspection of the dmesg output.
Below is the code excerpt which highlights the parts relevant for the integer overflow and the following for-loop that runs out-of-bounds.
Affected code
With a sufficiently large iovcnt, it is possible to cause an integer overflow such that copylen does not exceed its maximum size. The following for-loop, however, uses the large iovcnt.
For more information
If you have any questions or comments about this advisory:
Impact
What kind of vulnerability is it? Who is impacted?
It was discovered that Falco’s kernel module is affected by an integer overflow that can be triggered and lead to an out-of-bound (OOB) array access. That can happen while parsing buffers from userland. When this happens, the kernel module crashes, and it is no longer possible to trace any of the system calls. Although exploiting this issue beyond a crash is fairly unlikely, it is still considered high severity because an unprivileged process can issue this system call effectively crash the kernel module.
Only users using Falco versions before 0.18.0 with the kernel module.
Users using a Falco kernel module built from a revision of falcosecurity/libs before then commit 55b1cc8.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 55b1cc8 on Aug 6, 2019.
Users should upgrade to Falco 0.18.0 or later (which uses a Falco kernel module containing the above-mentioned commit).
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to Falco 0.18.0 or later is need.
References
Are there any links users can visit to find out more?
While parsing buffers from userland, an integer overflow can be triggered and leads to an out-of-bounds (OOB) array access. In turn, this crashes the kernel module and it is no longer possible to trace any of the system calls. This crash goes unnoticed by the userspace application (Falco) and requires a manual inspection of the
dmesgoutput.Below is the code excerpt which highlights the parts relevant for the integer overflow and the following for-loop that runs out-of-bounds.
Affected code
With a sufficiently large
iovcnt, it is possible to cause an integer overflow such thatcopylendoes not exceed its maximum size. The following for-loop, however, uses the largeiovcnt.For more information
If you have any questions or comments about this advisory: