CVE-2020-27171 - log back

CVE-2020-27171 edited at 24 Mar 2021 20:30:43
References
https://www.openwall.com/lists/oss-security/2021/03/19/3
+ https://www.openwall.com/lists/oss-security/2021/03/24/5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.11.8&id=c4f3aa4343deccf5b8e1bfcc7c36224aaf3a8b26
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.25&id=ac1b87a18c1ffbe3d093000b762121b5aae0a3f9
CVE-2020-27171 edited at 20 Mar 2021 19:02:53
Description
- A numeric error in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected 64-bit systems can exploit this to execute speculatively out-of-bounds loads from 4GB window within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified issue is when computing ptr_limit for preventing out-of-bounds speculation on pointer arithmetic. The computation of ptr_limit is off-by-one whenever the pointer moves to the left. The computed ptr_limit is zero in particular when subtracting zero offset from a pointer that is already at the beginning of map element value. This leads to integer underflow in fixup_bpf_calls() where sanitization code is generated.
+ A numeric error in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected 64-bit systems can exploit this to execute speculatively out-of-bounds loads from 4GB window within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified issue is when computing ptr_limit for preventing out-of-bounds speculation on pointer arithmetic. The computation of ptr_limit is off-by-one whenever the pointer moves to the left. The computed ptr_limit is zero in particular when subtracting zero offset from a pointer that is already at the beginning of map element value. This leads to integer underflow in fixup_bpf_calls() where sanitization code is generated. The issue is fixed in kernel versions 5.11.8 and 5.10.25.
References
https://www.openwall.com/lists/oss-security/2021/03/19/3
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.11.8&id=c4f3aa4343deccf5b8e1bfcc7c36224aaf3a8b26
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.25&id=ac1b87a18c1ffbe3d093000b762121b5aae0a3f9
CVE-2020-27171 edited at 19 Mar 2021 12:15:26
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ A numeric error in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation) has been identified. Unprivileged BPF programs running on affected 64-bit systems can exploit this to execute speculatively out-of-bounds loads from 4GB window within the kernel memory. This can be abused to extract contents of kernel memory via side-channel. The identified issue is when computing ptr_limit for preventing out-of-bounds speculation on pointer arithmetic. The computation of ptr_limit is off-by-one whenever the pointer moves to the left. The computed ptr_limit is zero in particular when subtracting zero offset from a pointer that is already at the beginning of map element value. This leads to integer underflow in fixup_bpf_calls() where sanitization code is generated.
References
+ https://www.openwall.com/lists/oss-security/2021/03/19/3
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899
Notes
CVE-2020-27171 created at 19 Mar 2021 12:11:44