oss-sec mailing list archives
[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory
From: Adam Morrison <mad () cs tau ac il>
Date: Mon, 21 Jun 2021 17:47:27 +0300
The Linux kernel BPF subsystem's protection against speculative execution attacks (Spectre mitigation) can be bypassed. On affected systems, an unprivileged BPF program can exploit this vulnerability to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. The issue is that when the kernel's BPF verifier enumerates the possible execution paths of a BPF program, it skips any branch outcomes that are impossible according to the ISA semantics. However, when the BPF program executes, such branch outcomes may be mispredicted and so a path could speculatively execute that was missed by the verifier. For example, when analyzing a memory load instruction, the paths inspected by the verifier could use an address register that is always in-bounds, and so the instruction is deemed safe. Whereas a path missed by the verifier could put an arbitrary attacker-controlled scalar into the address register before a branch that mispredicts to the load instruction. This can be abused to read and leak the contents of any kernel address via a side-channel. Several PoCs of this vulnerability have been shared privately with <security () kernel org> and the BPF maintainers to assist developing the fix. The following patch series (available from the mainline git repository) fixes the vulnerability (the 3rd one is the main patch): * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=d203b0fd863a2261e5d00b97f3d060c4c2a6db71 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=fe9a5ca7e370e613a9a75a13008a3845ea759d6e * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=9183671af6dbf60a1219371d4ed73e23f43b49db * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=973377ffe8148180b2651825b92ae91988141b05 Thanks to Piotr Krysiuk for collaborating on this advisory. # Discoverers Ofek Kirzner <ofekkir () gmail com> and Adam Morrison <mad () cs tau ac il> Benedict Schlueter <benedict.schlueter () rub de> (independent report) Piotr Krysiuk <piotras () gmail com> (independent report) # References CVE-2021-33624 (reserved via https://cveform.mitre.org/)
Current thread:
- [CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory Adam Morrison (Jun 21)