A bypass was found for the spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1711 https://seclists.org/oss-sec/2019/q1/106 Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d5564ddcf2a0f5ba3fa1c3a1f8a1b59ad309553
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1672356]
Note: Currently as of RHEL-7 it is not possible to use eBPF (i.e. to invoke a bpf() syscall) for non-privileged user (i.e. not as "root" user). Thus we do not consider this as a security flaw in RHEL-7. Nevertheless the current intent is to fix this flaw anyway in the upcoming RHEL-7.7. It will be possible in the upcoming RHEL-8 to invoke a bpf() syscall for a non-root (using a certain kernel boot parameter). This way the kernel becomes tainted (and thus the system not supported by the Red Hat) but still vulnerable. Thus the current intent is to fix this flaw anyway in the upcoming RHEL-8.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-7308