Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFzhf4pDZV74SeGurKt1iW=Egt5NwZ=Zvz3Y9dsq86wLfxupOQ@mail.gmail.com>
Date: Sun, 1 Aug 2021 20:40:13 +0100
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2021-34556,CVE-2021-35477] Linux kernel BPF protection against
 Speculative Store Bypass can be bypassed to disclose arbitrary kernel memory

Two separate issues have been discovered in the Linux kernel mechanism
to mitigate Speculative Store Bypass in BPF.

On affected systems, an unprivileged BPF program can exploit any of
these issues to disclose the content of arbitrary kernel memory via a
side-channel.

The first issue is that when protecting memory operations against
Speculative Store Bypass, the technique used by the BPF verifier to
manage speculation is unreliable. Specifically, each potentially
problematic memory store operations is sanitized by inserting a
preempting store of zero value. The preempting store is incorrectly
assumed to complete "fast" as it only depends on the BPF stack frame
pointer. However a few different scenarios have been identified where
this assumption is invalid, by demonstrating a dependent load
instruction to speculatively execute ahead of the preempting store.
Practical attacks have been shown to disclose content of arbitrary
kernel memory via a side-channel. CVE-2021-35477 has been reserved for
this issue.

The second issue is that when identifying memory store operations to
be protected against Speculative Store Bypass, any uninitialized BPF
stack locations are not considered. And so for each BPF stack
location, the BPF verifier never attempts to protect the first store
operation. Further, the BPF stack is allocated without any sanitation
of preexisting memory content. Thus any later load instruction, that
depends on the unprotected store, may speculatively execute ahead of
the store to use unsanitized memory. Whenever it is possible to
control content of the unsanitized memory before running the BPF
program, this issue can be abused to perform speculative load from
arbitrary memory location. A practical attack has been demonstrated to
disclose content of arbitrary kernel memory via a side-channel.
CVE-2021-34556 has been reserved for this issue.

Note that each issue can be abused independently of the other, relying
on non-overlapping bugs.

The PoCs have been shared privately with BPF subsystem maintainers to
assist with fix development.

The available fix reimplements the mitigation to follow techniques
recommended by the CPU vendors and is available from mainline kernel
git repository:

* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=f5e81d1117501546b7be050c5fbafa6efd2c722c
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=2039f26f3aca5b0e419b98f65dd36481337b86ee

# Discoverers

Benedict Schlueter <benedict.schlueter@....de> (CVE-2021-34556)
Piotr Krysiuk <piotras@...il.com> (CVE-2021-35477)

# References

CVE-2021-34556 (reserved via https://cveform.mitre.org/)
CVE-2021-35477 (reserved via https://cveform.mitre.org/)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.