An issue has been discovered in the Linux kernel mechanism to mitigate speculative loads (Spectre mitigation). Unprivileged BPF programs running on affected systems can bypass the protection and execute speculative loads from the kernel stack. This can be abused to extract contents of the stack via side-channel. The extracted contents may include addresses of kernel structures that could be used to defeat Kernel Address Space Layout Randomization (KASLR) to facilitate exploitation of other vulnerabilities. The identified gap is that when protecting BPF stack pointer against speculative pointer arithmetic, the BPF stack area itself is not protected against speculative loads. This could be abused to perform speculative loads from any location within the BPF stack. And so any restricted data from the BPF stack could be disclosed, such as addresses of data structures referred by the BPF program. Further, the original content of kernel memory is not wiped when allocating the BPF stack, and could be disclosed as well.
An issue has been discovered in the Linux kernel mechanism to mitigate speculative loads (Spectre mitigation). Unprivileged BPF programs running on affected systems can bypass the protection and execute speculative loads from the kernel stack. This can be abused to extract contents of the stack via side-channel. The extracted contents may include addresses of kernel structures that could be used to defeat Kernel Address Space Layout Randomization (KASLR) to facilitate exploitation of other vulnerabilities. The identified gap is that when protecting BPF stack pointer against speculative pointer arithmetic, the BPF stack area itself is not protected against speculative loads. This could be abused to perform speculative loads from any location within the BPF stack. And so any restricted data from the BPF stack could be disclosed, such as addresses of data structures referred by the BPF program. Further, the original content of kernel memory is not wiped when allocating the BPF stack, and could be disclosed as well.
https://www.openwall.com/lists/oss-security/2021/05/04/4 https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807 https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=801c6058d14a82179a7ee17a4b532cac6fad067f
Vulmon