oss-sec mailing list archives
Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6)
From: Jann Horn <jannhorn () googlemail com>
Date: Fri, 1 Feb 2019 23:20:26 +0100
I discovered a bypass for the spectre v1 hardening in the eBPF engine of the Linux kernel (which is exposed to unprivileged userspace since kernel 4.4). This is CVE-2019-7308. The issue has been fixed in 4.19.19 and 4.20.6 stable so far. The main fix is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38 , but it depends both on its parent commits and one ancestor that fixes a new issue introduced by it. Full bug report is at <https://bugs.chromium.org/p/project-zero/issues/detail?id=1711>.
Current thread:
- Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6) Jann Horn (Feb 02)