An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel. When protecting memory operations against Speculative Store Bypass, the technique used by the BPF verifier to manage speculation is unreliable. Specifically, each potentially problematic memory store operations is sanitized by inserting a preempting store of zero value. The preempting store is incorrectly assumed to complete "fast" as it only depends on the BPF stack frame pointer. However a few different scenarios have been identified where this assumption is invalid, by demonstrating a dependent load instruction to speculatively execute ahead of the preempting store. Practical attacks have been shown to disclose content of arbitrary kernel memory via a side-channel.
An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel. When protecting memory operations against Speculative Store Bypass, the technique used by the BPF verifier to manage speculation is unreliable. Specifically, each potentially problematic memory store operations is sanitized by inserting a preempting store of zero value. The preempting store is incorrectly assumed to complete "fast" as it only depends on the BPF stack frame pointer. However a few different scenarios have been identified where this assumption is invalid, by demonstrating a dependent load instruction to speculatively execute ahead of the preempting store. Practical attacks have been shown to disclose content of arbitrary kernel memory via a side-channel.
https://www.openwall.com/lists/oss-security/2021/08/01/3 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5e81d1117501546b7be050c5fbafa6efd2c722c https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2039f26f3aca5b0e419b98f65dd36481337b86ee
Vulmon