Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Mar 2021 22:06:13 +0000
From: Piotr Krysiuk <>
Subject: [CVE-2020-27170] Protection against speculatively out-of-bounds loads
 in the Linux kernel can be bypassed by unprivileged local users to leak
 content of kernel memory

A gap in the Linux kernel mechanism to mitigate speculatively
out-of-bounds loads (Spectre mitigation) has been identified.

Unprivileged BPF programs running on affected systems can bypass
the protection and execute speculatively out-of-bounds loads from
any location within the kernel memory. This can be abused to extract
contents of kernel memory via side-channel.

The identified gap is that unprivileged BPF programs are allowed to
perform pointer arithmetic on particular pointer types not defining
ptr_limit. Pointer arithmetic on such pointer types is not protected
against out-of-bounds speculation.

I developed a PoC to demonstrate the issue using ctx pointers that
allows unprivileged local users to extract contents of kernel memory.

The PoC has been shared privately with <> to assist
with fix development.

The patches are available from BPF subsystem public git repository. The
minimal fix is:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [

However it is recommended to apply the whole series as it includes
fix for another speculatively out-of-bounds vulnerability in BPF that
I reported at the same time and some additional hardening of the
affected code:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [
* bpf: Fix off-by-one for area size in creating mask to left [
* bpf: Simplify alu_limit masking for pointer arithmetic [
* bpf: Add sanity check for upper ptr_limit [
* bpf, selftests: Fix up some test_verifier cases for unprivileged [

Details of the other vulnerability to be provided in a separate email.

# Discoverer

Piotr Krysiuk <>

# References

CVE-2020-27170 (reserved via

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.