oss-sec mailing list archives
[CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory
From: Piotr Krysiuk <piotras () gmail com>
Date: Thu, 18 Mar 2021 22:06:13 +0000
A gap in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified gap is that unprivileged BPF programs are allowed to perform pointer arithmetic on particular pointer types not defining ptr_limit. Pointer arithmetic on such pointer types is not protected against out-of-bounds speculation. I developed a PoC to demonstrate the issue using ctx pointers that allows unprivileged local users to extract contents of kernel memory. The PoC has been shared privately with <security () kernel org> to assist with fix development. The patches are available from BPF subsystem public git repository. The minimal fix is: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] However it is recommended to apply the whole series as it includes fix for another speculatively out-of-bounds vulnerability in BPF that I reported at the same time and some additional hardening of the affected code: * bpf: Prohibit alu ops for pointer types not defining ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 ] * bpf: Fix off-by-one for area size in creating mask to left [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 ] * bpf: Simplify alu_limit masking for pointer arithmetic [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea ] * bpf: Add sanity check for upper ptr_limit [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 ] * bpf, selftests: Fix up some test_verifier cases for unprivileged [ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 ] Details of the other vulnerability to be provided in a separate email. # Discoverer Piotr Krysiuk <piotras () gmail com> # References CVE-2020-27170 (reserved via https://cveform.mitre.org/)
Current thread:
- [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 18)