A bypass was found for the spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1672356]
Currently as of RHEL-7 it is not possible to use eBPF (i.e. to invoke a bpf() syscall) for non-privileged user (i.e. not as "root" user). Thus we do not consider this as a security flaw in RHEL-7. Nevertheless the current intent is to fix this flaw anyway in the upcoming RHEL-7.7.
It will be possible in the upcoming RHEL-8 to invoke a bpf() syscall for a non-root (using a certain kernel boot parameter). This way the kernel becomes tainted (and thus the system not supported by the Red Hat) but still vulnerable. Thus the current intent is to fix this flaw anyway in the upcoming RHEL-8.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):