Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 1 Aug 2021 20:40:13 +0100
From: Piotr Krysiuk <>
Subject: [CVE-2021-34556,CVE-2021-35477] Linux kernel BPF protection against
 Speculative Store Bypass can be bypassed to disclose arbitrary kernel memory

Two separate issues have been discovered in the Linux kernel mechanism
to mitigate Speculative Store Bypass in BPF.

On affected systems, an unprivileged BPF program can exploit any of
these issues to disclose the content of arbitrary kernel memory via a

The first issue is that when protecting memory operations against
Speculative Store Bypass, the technique used by the BPF verifier to
manage speculation is unreliable. Specifically, each potentially
problematic memory store operations is sanitized by inserting a
preempting store of zero value. The preempting store is incorrectly
assumed to complete "fast" as it only depends on the BPF stack frame
pointer. However a few different scenarios have been identified where
this assumption is invalid, by demonstrating a dependent load
instruction to speculatively execute ahead of the preempting store.
Practical attacks have been shown to disclose content of arbitrary
kernel memory via a side-channel. CVE-2021-35477 has been reserved for
this issue.

The second issue is that when identifying memory store operations to
be protected against Speculative Store Bypass, any uninitialized BPF
stack locations are not considered. And so for each BPF stack
location, the BPF verifier never attempts to protect the first store
operation. Further, the BPF stack is allocated without any sanitation
of preexisting memory content. Thus any later load instruction, that
depends on the unprotected store, may speculatively execute ahead of
the store to use unsanitized memory. Whenever it is possible to
control content of the unsanitized memory before running the BPF
program, this issue can be abused to perform speculative load from
arbitrary memory location. A practical attack has been demonstrated to
disclose content of arbitrary kernel memory via a side-channel.
CVE-2021-34556 has been reserved for this issue.

Note that each issue can be abused independently of the other, relying
on non-overlapping bugs.

The PoCs have been shared privately with BPF subsystem maintainers to
assist with fix development.

The available fix reimplements the mitigation to follow techniques
recommended by the CPU vendors and is available from mainline kernel
git repository:


# Discoverers

Benedict Schlueter <> (CVE-2021-34556)
Piotr Krysiuk <> (CVE-2021-35477)

# References

CVE-2021-34556 (reserved via
CVE-2021-35477 (reserved via

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.