Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2021-31829] Linux kernel protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory

Related Vulnerabilities: CVE-2021-31829  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2021-31829] Linux kernel protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Piotr Krysiuk &lt;piotras () gmail com&gt;

Date: Tue, 4 May 2021 11:06:52 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
An issue has been discovered in the Linux kernel mechanism to mitigate
speculative loads (Spectre mitigation).

Unprivileged BPF programs running on affected systems can bypass
the protection and execute speculative loads from the kernel stack.
This can be abused to extract contents of the stack via side-channel.
The extracted contents may include addresses of kernel structures
that could be used to defeat Kernel Address Space Layout Randomization
(KASLR) to facilitate exploitation of other vulnerabilities.

The identified gap is that when protecting BPF stack pointer against
speculative pointer arithmetic, the BPF stack area itself is not
protected against speculative loads. This could be abused to perform
speculative loads from any location within the BPF stack. And so
any restricted data from the BPF stack could be disclosed, such as
addresses of data structures referred by the BPF program. Further,
the original content of kernel memory is not wiped when allocating
the BPF stack, and could be disclosed as well.

I developed a PoC that allows unprivileged local users to extract
contents of 511 bytes from the BPF stack.

The PoC has been shared privately with &lt;security () kernel org&gt; to assist
with fix development.

The patches are available from the BPF subsystem public git repository.

The fix has dependency of another recent commit fixing a separate
issue. The full patch series is as follows:

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=801c6058d14a82179a7ee17a4b532cac6fad067f

# Discoverers

Piotr Krysiuk &lt;piotras () gmail com&gt;

# References

CVE-2021-31829 (reserved via https://cveform.mitre.org/)

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2021-31829] Linux kernel protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory Piotr Krysiuk (May 04)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started