Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6)

[Jann Horn <jannhorn () googlemail com>]

I discovered a bypass for the spectre v1 hardening in the eBPF engine
of the Linux kernel (which is exposed to unprivileged userspace since
kernel 4.4).

This is CVE-2019-7308. The issue has been fixed in 4.19.19 and 4.20.6
stable so far.

The main fix is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38
, but it depends both on its parent commits and one ancestor that
fixes a new issue introduced by it.

Full bug report is at
<https://bugs.chromium.org/p/project-zero/issues/detail?id=1711>.