Linux Kernel's BPF Fixed Up Against Spectre Vulnerability Bypass

With the latest mainline Git kernel as well as the newest stable point releases as of Wednesday, a Spectre issue with the kernel's BPF subsystem has been addressed.

Up until this week, the kernel's BPF subsystem protections around speculative execution could be bypassed. An unprivileged BPF program could leak the contents of arbitrary kernel memory via a side-channel attack.

The vulnerability was summed up in this oss-security message this week, "The issue is that when the kernel's BPF verifier enumerates the possible execution paths of a BPF program, it skips any branch outcomes that are impossible according to the ISA semantics. However, when the BPF program executes, such branch outcomes may be mispredicted and so a path could speculatively execute that was missed by the verifier."

There are various proof of concepts for this BPF vulnerability. This BPF vulnerability was tracked as CVE-2021-33624.

Besides Linux 5.13 Git having the BPF vulnerability addressed, Linux 5.12.13, 5.10.46, and 5.4.128 are out so far with the patches back-ported.

This isn't the first time BPF vulnerabilities have crept up in recent history around Spectre. It was just earlier this year that two vulnerabilities were discovered and noted by Symantec for revealing memory contents via BPF.