Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAHMfzJkhZ01FG62sfMdXayK_NwD3g=5NcpGmg+-PVZLBpjJ9Fw@mail.gmail.com>
Date: Mon, 21 Jun 2021 17:47:27 +0300
From: Adam Morrison <mad@...tau.ac.il>
To: oss-security@...ts.openwall.com
Subject: [CVE-2021-33624] Linux kernel BPF protection against speculative
 execution attacks can be bypassed to read arbitrary kernel memory

The Linux kernel BPF subsystem's protection against speculative
execution attacks (Spectre mitigation) can be bypassed.

On affected systems, an unprivileged BPF program can exploit this
vulnerability to leak the contents of arbitrary kernel memory (and
therefore, of all physical memory) via a side-channel.

The issue is that when the kernel's BPF verifier enumerates the
possible execution paths of a BPF program, it skips any branch
outcomes that are impossible according to the ISA semantics.
However, when the BPF program executes, such branch outcomes may be
mispredicted and so a path could speculatively execute that was
missed by the verifier.

For example, when analyzing a memory load instruction, the paths
inspected by the verifier could use an address register that is always
in-bounds, and so the instruction is deemed safe. Whereas a path
missed by the verifier could put an arbitrary attacker-controlled
scalar into the address register before a branch that mispredicts
to the load instruction. This can be abused to read and leak the
contents of any kernel address via a side-channel.

Several PoCs of this vulnerability have been shared privately with
<security@...nel.org> and the BPF maintainers to assist developing
the fix.

The following patch series (available from the mainline git
repository) fixes the vulnerability (the 3rd one is the main patch):

* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=d203b0fd863a2261e5d00b97f3d060c4c2a6db71
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=fe9a5ca7e370e613a9a75a13008a3845ea759d6e
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=9183671af6dbf60a1219371d4ed73e23f43b49db
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=973377ffe8148180b2651825b92ae91988141b05

Thanks to Piotr Krysiuk for collaborating on this advisory.

# Discoverers

Ofek Kirzner <ofekkir@...il.com> and Adam Morrison <mad@...tau.ac.il>
Benedict Schlueter <benedict.schlueter@....de> (independent report)
Piotr Krysiuk <piotras@...il.com> (independent report)

# References

CVE-2021-33624 (reserved via https://cveform.mitre.org/)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.