A gap in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified gap is that unprivileged BPF programs are allowed to perform pointer arithmetic on particular pointer types not defining ptr_limit. Pointer arithmetic on such pointer types is not protected against out-of-bounds speculation.
A gap in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified gap is that unprivileged BPF programs are allowed to perform pointer arithmetic on particular pointer types not defining ptr_limit. Pointer arithmetic on such pointer types is not protected against out-of-bounds speculation.
https://www.openwall.com/lists/oss-security/2021/03/19/2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76