Date: Mon, 21 Jun 2021 17:47:27 +0300 From: Adam Morrison <mad@...tau.ac.il> To: oss-security@...ts.openwall.com Subject: [CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory The Linux kernel BPF subsystem's protection against speculative execution attacks (Spectre mitigation) can be bypassed. On affected systems, an unprivileged BPF program can exploit this vulnerability to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. The issue is that when the kernel's BPF verifier enumerates the possible execution paths of a BPF program, it skips any branch outcomes that are impossible according to the ISA semantics. However, when the BPF program executes, such branch outcomes may be mispredicted and so a path could speculatively execute that was missed by the verifier. For example, when analyzing a memory load instruction, the paths inspected by the verifier could use an address register that is always in-bounds, and so the instruction is deemed safe. Whereas a path missed by the verifier could put an arbitrary attacker-controlled scalar into the address register before a branch that mispredicts to the load instruction. This can be abused to read and leak the contents of any kernel address via a side-channel. Several PoCs of this vulnerability have been shared privately with <security@...nel.org> and the BPF maintainers to assist developing the fix. The following patch series (available from the mainline git repository) fixes the vulnerability (the 3rd one is the main patch): * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=d203b0fd863a2261e5d00b97f3d060c4c2a6db71 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=fe9a5ca7e370e613a9a75a13008a3845ea759d6e * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=9183671af6dbf60a1219371d4ed73e23f43b49db * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=973377ffe8148180b2651825b92ae91988141b05 Thanks to Piotr Krysiuk for collaborating on this advisory. # Discoverers Ofek Kirzner <ofekkir@...il.com> and Adam Morrison <mad@...tau.ac.il> Benedict Schlueter <benedict.schlueter@....de> (independent report) Piotr Krysiuk <piotras@...il.com> (independent report) # References CVE-2021-33624 (reserved via https://cveform.mitre.org/)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.