Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory

Related Vulnerabilities: CVE-2021-33624  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Adam Morrison &lt;mad () cs tau ac il&gt;

Date: Mon, 21 Jun 2021 17:47:27 +0300

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
The Linux kernel BPF subsystem's protection against speculative
execution attacks (Spectre mitigation) can be bypassed.

On affected systems, an unprivileged BPF program can exploit this
vulnerability to leak the contents of arbitrary kernel memory (and
therefore, of all physical memory) via a side-channel.

The issue is that when the kernel's BPF verifier enumerates the
possible execution paths of a BPF program, it skips any branch
outcomes that are impossible according to the ISA semantics.
However, when the BPF program executes, such branch outcomes may be
mispredicted and so a path could speculatively execute that was
missed by the verifier.

For example, when analyzing a memory load instruction, the paths
inspected by the verifier could use an address register that is always
in-bounds, and so the instruction is deemed safe. Whereas a path
missed by the verifier could put an arbitrary attacker-controlled
scalar into the address register before a branch that mispredicts
to the load instruction. This can be abused to read and leak the
contents of any kernel address via a side-channel.

Several PoCs of this vulnerability have been shared privately with
&lt;security () kernel org&gt; and the BPF maintainers to assist developing
the fix.

The following patch series (available from the mainline git
repository) fixes the vulnerability (the 3rd one is the main patch):

* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=d203b0fd863a2261e5d00b97f3d060c4c2a6db71
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=fe9a5ca7e370e613a9a75a13008a3845ea759d6e
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=9183671af6dbf60a1219371d4ed73e23f43b49db
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=973377ffe8148180b2651825b92ae91988141b05

Thanks to Piotr Krysiuk for collaborating on this advisory.

# Discoverers

Ofek Kirzner &lt;ofekkir () gmail com&gt; and Adam Morrison &lt;mad () cs tau ac il&gt;
Benedict Schlueter &lt;benedict.schlueter () rub de&gt; (independent report)
Piotr Krysiuk &lt;piotras () gmail com&gt; (independent report)

# References

CVE-2021-33624 (reserved via https://cveform.mitre.org/)

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory Adam Morrison (Jun 21)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started