Hello development folks,

quoted from https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spe...:

[...] Both vulnerabilities are related to the Linux kernel support for "extended Berkeley Packet Filters" (BPF). BPF allows users to execute user-provided programs directly in the Linux kernel. When loading these programs, the Linux kernel analyzes the program code to ensure they are safe. However, part of this analysis, intended to mitigate Spectre, was not sufficient to protect against some exploitation techniques. [...]

The most serious issue is CVE-2020-27170, which can be abused to reveal content from any location within the kernel memory, all of the machine’s RAM, in other words. Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions. This could then be abused to reveal contents of the memory via side-channels. The identified security gap was that unprivileged BPF programs were allowed to perform pointer arithmetic on particular pointer types, where the ptr_limit was not defined. The Linux kernel did not include any protection against out-of-bounds speculation when performing pointer arithmetic on such pointer types.

The second reported issue, CVE-2020-27171, can reveal content from a 4 GB range of kernel memory around some of the structures that are protected. This issue is caused by a numeric error in the Spectre mitigations when protecting pointer arithmetic against out-of-bounds speculations. Unprivileged BPF programs running on affected systems can exploit this error to execute speculatively out-of-bounds loads from a 4 GB range of kernel memory below the protected structure. Like CVE-2020-27170, this can also be abused to reveal contents of kernel memory via side-channels. [...]

"Don't do a JIT in the kernel", we have told them. "Don't let unprivileged users put their stuff into it", we told them. "Don't use something volatile and hard to check - no mprotect on JITs, right? - when it comes to packet filters", we told them.

*sigh*

Since we are currently running Linux 4.14.212, while the most recent release of that branch is 4.14.228, I guess we'll have to upgrade 4.14.x one more time. Unless Arne has 5.10.x virtually ready, resources permitting... :-)

Thanks, and best regards, Peter Müller