CVE-2021-34556 log

Severity Medium
Remote No
Type Information disclosure
An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel.

When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
Group Package Affected Fixed Severity Status Ticket
AVG-2257 linux-lts 5.10.55-1 5.10.56-1 Medium Fixed
AVG-2256 linux-zen 5.13.7.zen1-1 5.13.8.zen1-1 Medium Fixed
AVG-2255 linux 5.13.7.arch1-1 5.13.8.arch1-1 Medium Fixed
AVG-2234 linux-hardened 5.12.19.hardened1-1 5.13.13.hardened1-1 Medium Fixed