[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linux kernel can be bypassed by unprivileged local users to leak content of kernel memory



A gap in the Linux kernel mechanism to mitigate speculatively
out-of-bounds loads (Spectre mitigation) has been identified.

Unprivileged BPF programs running on affected systems can bypass
the protection and execute speculatively out-of-bounds loads from
any location within the kernel memory. This can be abused to extract
contents of kernel memory via side-channel.

The identified gap is that unprivileged BPF programs are allowed to
perform pointer arithmetic on particular pointer types not defining
ptr_limit. Pointer arithmetic on such pointer types is not protected
against out-of-bounds speculation.

I developed a PoC to demonstrate the issue using ctx pointers that
allows unprivileged local users to extract contents of kernel memory.

The PoC has been shared privately with <security AT kernel.org> to assist
with fix development.

The patches are available from BPF subsystem public git repository. The
minimal fix is:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76
]

However it is recommended to apply the whole series as it includes
fix for another speculatively out-of-bounds vulnerability in BPF that
I reported at the same time and some additional hardening of the
affected code:

* bpf: Prohibit alu ops for pointer types not defining ptr_limit [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76
]
* bpf: Fix off-by-one for area size in creating mask to left [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899
]
* bpf: Simplify alu_limit masking for pointer arithmetic [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b5871dca250cd391885218b99cc015aca1a51aea
]
* bpf: Add sanity check for upper ptr_limit [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=1b1597e64e1a610c7a96710fc4717158e98a08b3
]
* bpf, selftests: Fix up some test_verifier cases for unprivileged [
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3
]

Details of the other vulnerability to be provided in a separate email.

# Discoverer

Piotr Krysiuk <piotras AT gmail.com>

# References

CVE-2020-27170 (reserved via https://cveform.mitre.org/)