From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Fwd: Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux Date: Thu, 01 Apr 2021 20:40:17 +0200 Message-ID: <1694fa63-aae3-3f50-4e43-2c03e7d7daac@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7893667487144850782==" List-Id: --===============7893667487144850782== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello development folks, quoted from https://symantec-enterprise-blogs.security.com/blogs/threat-intel= ligence/spectre-bypass-linux-vulnerabilities: > [...] Both vulnerabilities are related to the Linux kernel support for "ext= ended Berkeley Packet Filters" (BPF). BPF allows > users to execute user-provided programs directly in the Linux kernel. When = loading these programs, the Linux kernel analyzes > the program code to ensure they are safe. However, part of this analysis, i= ntended to mitigate Spectre, was not sufficient > to protect against some exploitation techniques. [...] > > The most serious issue is CVE-2020-27170, which can be abused to reveal con= tent from any location within the kernel memory, > all of the machine=E2=80=99s RAM, in other words. Unprivileged BPF programs= running on affected systems could bypass the Spectre > mitigations and execute speculatively out-of-bounds loads with no restricti= ons. This could then be abused to reveal contents > of the memory via side-channels. The identified security gap was that unpri= vileged BPF programs were allowed to perform pointer > arithmetic on particular pointer types, where the ptr_limit was not defined= . The Linux kernel did not include any protection > against out-of-bounds speculation when performing pointer arithmetic on suc= h pointer types. > > The second reported issue, CVE-2020-27171, can reveal content from a 4 GB r= ange of kernel memory around some of the structures > that are protected. This issue is caused by a numeric error in the Spectre = mitigations when protecting pointer arithmetic > against out-of-bounds speculations. Unprivileged BPF programs running on af= fected systems can exploit this error to execute > speculatively out-of-bounds loads from a 4 GB range of kernel memory below = the protected structure. Like CVE-2020-27170, this > can also be abused to reveal contents of kernel memory via side-channels. [= ...] "Don't do a JIT in the kernel", we have told them. "Don't let unprivileged us= ers put their stuff into it", we told them. "Don't use something volatile and hard to check - no mprotect on JITs, right?= - when it comes to packet filters", we told them. *sigh* Since we are currently running Linux 4.14.212, while the most recent release = of that branch is 4.14.228, I guess we'll have to upgrade 4.14.x one more time. Unless Arne has 5.10.x virtually ready, reso= urces permitting... :-) Thanks, and best regards, Peter M=C3=BCller --===============7893667487144850782==--