Bug 1672355 (CVE-2019-7308) - CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass
Summary: CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-7308
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1672356 1673617 1673618 1673631 1673632
Blocks: 1672357
TreeView+ depends on / blocked
 
Reported: 2019-02-04 17:31 UTC by Laura Pardo
Modified: 2019-09-29 15:07 UTC (History)
7 users (show)

Fixed In Version: kernel 4.20.6
Doc Type: If docs needed, set a value
Doc Text:
A bypass was found for the Spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:21:47 UTC


Attachments (Terms of Use)

Description Laura Pardo 2019-02-04 17:31:29 UTC
A bypass was found for the spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1711

https://seclists.org/oss-sec/2019/q1/106

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d5564ddcf2a0f5ba3fa1c3a1f8a1b59ad309553

Comment 1 Laura Pardo 2019-02-04 17:31:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1672356]

Comment 5 Vladis Dronov 2019-02-07 16:02:42 UTC
Note:

Currently as of RHEL-7 it is not possible to use eBPF (i.e. to invoke a bpf() syscall) for non-privileged user (i.e. not as "root" user). Thus we do not consider this as a security flaw in RHEL-7. Nevertheless the current intent is to fix this flaw anyway in the upcoming RHEL-7.7.

It will be possible in the upcoming RHEL-8 to invoke a bpf() syscall for a non-root (using a certain kernel boot parameter). This way the kernel becomes tainted (and thus the system not supported by the Red Hat) but still vulnerable. Thus the current intent is to fix this flaw anyway in the upcoming RHEL-8.

Comment 9 Product Security DevOps Team 2019-08-06 13:21:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-7308


Note You need to log in before you can comment on or make changes to this bug.