ASA-2019-00039 – Linux kernel: BPF spectre v1 mitigation bypass


Allele Security Alert

ASA-2019-00039

Identifier(s)

ASA-2019-00039, CVE-2019-7308

Title

BPF spectre v1 mitigation bypass

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.0

Linux kernel versions 4.20.x before 4.20.6
Linux kernel versions 4.19.x before 4.19.19
Linux kernel versions 4.14.x before 4.14.113

Linux kernel versions since the following commit:

bpf: prevent out-of-bounds speculation
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b2157399cc9898260d6031c5bfe45fe137c1fbe7

Fixed version(s)

Linux kernel version 5.0

Linux kernel version 4.20.6
Linux kernel version 4.19.19
Linux kernel version 4.14.113

Linux kernel versions with the following commit applied:

bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda

Proof of concept

Yes

Description

kernel/bpf/verifier.c in the Linux kernel performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.

Technical details

It was reported that the original commit back in b2157399cc98 (“bpf: prevent out-of-bounds speculation”) was not sufficient to stop CPU from speculating out of bounds memory access.

Credits

Jann Horn (Google Project Zero)

Reference(s)

Issue 1711: Linux: eBPF Spectre v1 mitigation is insufficient
https://bugs.chromium.org/p/project-zero/issues/detail?id=1711

Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6)
https://seclists.org/oss-sec/2019/q1/106

bpf: prevent out of bounds speculation on pointer arithmetic
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38

bpf: prevent out of bounds speculation on pointer arithmetic
https://github.com/torvalds/linux/commit/979d63d50c0c0f7bc537bf821e056cc9fe5abd38

bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda

bpf: fix sanitation of alu op with pointer / scalar type from different paths
https://github.com/torvalds/linux/commit/d3bd7413e0ca40b60cf60d4003246d067cafdeda

bpf: prevent out-of-bounds speculation
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b2157399cc9898260d6031c5bfe45fe137c1fbe7

bpf: prevent out-of-bounds speculation
https://github.com/torvalds/linux/commit/b2157399cc9898260d6031c5bfe45fe137c1fbe7

Linux 5.0
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0

Linux 4.20.6
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.6

Linux 4.19.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.19

Linux 4.14.113
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113

CVE-2019-7308 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-7308

CVE-2019-7308 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7308.html

CVE-2019-7308 | SUSE
https://www.suse.com/security/cve/CVE-2019-7308

CVE-2019-7308
https://security-tracker.debian.org/tracker/CVE-2019-7308

CVE-2019-7308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7308

CVE-2019-7308
https://nvd.nist.gov/vuln/detail/CVE-2019-7308

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.