CVE-2021-31829 - log back

CVE-2021-31829 edited at 09 May 2021 09:02:16
References
https://www.openwall.com/lists/oss-security/2021/05/04/4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.2&id=7cf64d8679ca1cb20cf57d6a88bfee79a0922a66
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.2&id=0356e50a7fa65e9b27cf3363a8f8188608859182
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.11.19&id=6eba92a4d4be8feb4dc33976abac544fa99d6ecc
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.11.19&id=b50fb1b08d6cb3b3b4661d254792794ecdfebab4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.35&id=2cfa537674cd1051a3b8111536d77d0558f33d5d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.35&id=2fa15d61e4cbaaa1d1250e67b251ff96952fa614
CVE-2021-31829 edited at 07 May 2021 17:03:23
References
https://www.openwall.com/lists/oss-security/2021/05/04/4
- https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
- https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=801c6058d14a82179a7ee17a4b532cac6fad067f
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.2&id=7cf64d8679ca1cb20cf57d6a88bfee79a0922a66
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.2&id=0356e50a7fa65e9b27cf3363a8f8188608859182
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.35&id=2cfa537674cd1051a3b8111536d77d0558f33d5d
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.35&id=2fa15d61e4cbaaa1d1250e67b251ff96952fa614
CVE-2021-31829 edited at 06 May 2021 17:47:45
Description
+ kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.
- An issue has been discovered in the Linux kernel mechanism to mitigate speculative loads (Spectre mitigation). Unprivileged BPF programs running on affected systems can bypass
- the protection and execute speculative loads from the kernel stack. This can be abused to extract contents of the stack via side-channel. The extracted contents may include addresses of kernel structures that could be used to defeat Kernel Address Space Layout Randomization (KASLR) to facilitate exploitation of other vulnerabilities.
-
- The identified gap is that when protecting BPF stack pointer against speculative pointer arithmetic, the BPF stack area itself is not protected against speculative loads. This could be abused to perform speculative loads from any location within the BPF stack. And so any restricted data from the BPF stack could be disclosed, such as addresses of data structures referred by the BPF program. Further, the original content of kernel memory is not wiped when allocating the BPF stack, and could be disclosed as well.
CVE-2021-31829 edited at 04 May 2021 10:34:44
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ An issue has been discovered in the Linux kernel mechanism to mitigate speculative loads (Spectre mitigation). Unprivileged BPF programs running on affected systems can bypass
+ the protection and execute speculative loads from the kernel stack. This can be abused to extract contents of the stack via side-channel. The extracted contents may include addresses of kernel structures that could be used to defeat Kernel Address Space Layout Randomization (KASLR) to facilitate exploitation of other vulnerabilities.
+
+ The identified gap is that when protecting BPF stack pointer against speculative pointer arithmetic, the BPF stack area itself is not protected against speculative loads. This could be abused to perform speculative loads from any location within the BPF stack. And so any restricted data from the BPF stack could be disclosed, such as addresses of data structures referred by the BPF program. Further, the original content of kernel memory is not wiped when allocating the BPF stack, and could be disclosed as well.
References
+ https://www.openwall.com/lists/oss-security/2021/05/04/4
+ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
+ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=801c6058d14a82179a7ee17a4b532cac6fad067f
CVE-2021-31829 created at 04 May 2021 10:32:23
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes