Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Jun 2021 17:47:27 +0300
From: Adam Morrison <>
Subject: [CVE-2021-33624] Linux kernel BPF protection against speculative
 execution attacks can be bypassed to read arbitrary kernel memory

The Linux kernel BPF subsystem's protection against speculative
execution attacks (Spectre mitigation) can be bypassed.

On affected systems, an unprivileged BPF program can exploit this
vulnerability to leak the contents of arbitrary kernel memory (and
therefore, of all physical memory) via a side-channel.

The issue is that when the kernel's BPF verifier enumerates the
possible execution paths of a BPF program, it skips any branch
outcomes that are impossible according to the ISA semantics.
However, when the BPF program executes, such branch outcomes may be
mispredicted and so a path could speculatively execute that was
missed by the verifier.

For example, when analyzing a memory load instruction, the paths
inspected by the verifier could use an address register that is always
in-bounds, and so the instruction is deemed safe. Whereas a path
missed by the verifier could put an arbitrary attacker-controlled
scalar into the address register before a branch that mispredicts
to the load instruction. This can be abused to read and leak the
contents of any kernel address via a side-channel.

Several PoCs of this vulnerability have been shared privately with
<> and the BPF maintainers to assist developing
the fix.

The following patch series (available from the mainline git
repository) fixes the vulnerability (the 3rd one is the main patch):


Thanks to Piotr Krysiuk for collaborating on this advisory.

# Discoverers

Ofek Kirzner <> and Adam Morrison <>
Benedict Schlueter <> (independent report)
Piotr Krysiuk <> (independent report)

# References

CVE-2021-33624 (reserved via

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.