A vulnerability was discovered in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation). In this flaw a local, special user privileged (CAP_SYS_ADMIN) BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from the kernel memory. This can be abused to extract contents of kernel memory via side-channel.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1951597]
The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.
For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.
For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:
# cat /proc/sys/kernel/unprivileged_bpf_disabled
The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.