A numeric error in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected 64-bit systems can exploit this to execute speculatively out-of-bounds loads from 4GB window within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified issue is when computing ptr_limit for preventing out-of-bounds speculation on pointer arithmetic. The computation of ptr_limit is off-by-one whenever the pointer moves to the left. The computed ptr_limit is zero in particular when subtracting zero offset from a pointer that is already at the beginning of map element value. This leads to integer underflow in fixup_bpf_calls() where sanitization code is generated. The issue is fixed in kernel versions 5.11.8 and 5.10.25. |