Allele Security Alert
ASA-2019-00039
Identifier(s)
ASA-2019-00039, CVE-2019-7308
Title
BPF spectre v1 mitigation bypass
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.0
Linux kernel versions 4.20.x before 4.20.6
Linux kernel versions 4.19.x before 4.19.19
Linux kernel versions 4.14.x before 4.14.113
Linux kernel versions since the following commit:
bpf: prevent out-of-bounds speculation
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b2157399cc9898260d6031c5bfe45fe137c1fbe7
Fixed version(s)
Linux kernel version 5.0
Linux kernel version 4.20.6
Linux kernel version 4.19.19
Linux kernel version 4.14.113
Linux kernel versions with the following commit applied:
bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda
Proof of concept
Yes
Description
kernel/bpf/verifier.c in the Linux kernel performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
Technical details
It was reported that the original commit back in b2157399cc98 (“bpf: prevent out-of-bounds speculation”) was not sufficient to stop CPU from speculating out of bounds memory access.
Credits
Jann Horn (Google Project Zero)
Reference(s)
Issue 1711: Linux: eBPF Spectre v1 mitigation is insufficient
https://bugs.chromium.org/p/project-zero/issues/detail?id=1711
Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6)
https://seclists.org/oss-sec/2019/q1/106
bpf: prevent out of bounds speculation on pointer arithmetic
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38
bpf: prevent out of bounds speculation on pointer arithmetic
https://github.com/torvalds/linux/commit/979d63d50c0c0f7bc537bf821e056cc9fe5abd38
bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda
bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://github.com/torvalds/linux/commit/d3bd7413e0ca40b60cf60d4003246d067cafdeda
bpf: prevent out-of-bounds speculation
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b2157399cc9898260d6031c5bfe45fe137c1fbe7
bpf: prevent out-of-bounds speculation
https://github.com/torvalds/linux/commit/b2157399cc9898260d6031c5bfe45fe137c1fbe7
Linux 5.0
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0
Linux 4.20.6
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.6
Linux 4.19.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.19
Linux 4.14.113
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113
CVE-2019-7308 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-7308
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7308.html
CVE-2019-7308 | SUSE
https://www.suse.com/security/cve/CVE-2019-7308
CVE-2019-7308
https://security-tracker.debian.org/tracker/CVE-2019-7308
CVE-2019-7308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7308
CVE-2019-7308
https://nvd.nist.gov/vuln/detail/CVE-2019-7308
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 2, 2019