Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFzhf4qipkzzR1r8mowFaMNmUxXMhR9agw=gqJs1CSLNF0=rWA@mail.gmail.com>
Date: Tue, 4 May 2021 11:06:52 +0100
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2021-31829] Linux kernel protection of stack pointer against
 speculative pointer arithmetic can be bypassed to leak content of kernel memory

An issue has been discovered in the Linux kernel mechanism to mitigate
speculative loads (Spectre mitigation).

Unprivileged BPF programs running on affected systems can bypass
the protection and execute speculative loads from the kernel stack.
This can be abused to extract contents of the stack via side-channel.
The extracted contents may include addresses of kernel structures
that could be used to defeat Kernel Address Space Layout Randomization
(KASLR) to facilitate exploitation of other vulnerabilities.

The identified gap is that when protecting BPF stack pointer against
speculative pointer arithmetic, the BPF stack area itself is not
protected against speculative loads. This could be abused to perform
speculative loads from any location within the BPF stack. And so
any restricted data from the BPF stack could be disclosed, such as
addresses of data structures referred by the BPF program. Further,
the original content of kernel memory is not wiped when allocating
the BPF stack, and could be disclosed as well.

I developed a PoC that allows unprivileged local users to extract
contents of 511 bytes from the BPF stack.

The PoC has been shared privately with <security@...nel.org> to assist
with fix development.

The patches are available from the BPF subsystem public git repository.

The fix has dependency of another recent commit fixing a separate
issue. The full patch series is as follows:

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=801c6058d14a82179a7ee17a4b532cac6fad067f

# Discoverers

Piotr Krysiuk <piotras@...il.com>

# References

CVE-2021-31829 (reserved via https://cveform.mitre.org/)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.