CVE-2021-34556 - log back

CVE-2021-34556 edited at 04 Aug 2021 20:11:58
References
https://www.openwall.com/lists/oss-security/2021/08/01/3
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5e81d1117501546b7be050c5fbafa6efd2c722c
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2039f26f3aca5b0e419b98f65dd36481337b86ee
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.8&id=ddab060f996e17b38bb181c5fd11a83fd1bfa0df
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.8&id=0b27bdf02c400684225ee5ee99970bcbf5082282
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.56&id=bea9e2fd180892eba2574711b05b794f1d0e7b73
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.56&id=0e9280654aa482088ee6ef3deadef331f5ac5fb0
CVE-2021-34556 edited at 03 Aug 2021 15:48:50
Description
- An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of
+ An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel.
- these issues to disclose the content of arbitrary kernel memory via a side-channel.
+ When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
- When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack
- location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
CVE-2021-34556 edited at 02 Aug 2021 08:36:06
References
https://www.openwall.com/lists/oss-security/2021/08/01/3
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5e81d1117501546b7be050c5fbafa6efd2c722c
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2039f26f3aca5b0e419b98f65dd36481337b86ee
CVE-2021-34556 edited at 02 Aug 2021 08:32:59
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of
+ these issues to disclose the content of arbitrary kernel memory via a side-channel.
+
+ When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack
+ location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
References
+ https://www.openwall.com/lists/oss-security/2021/08/01/3
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2039f26f3aca5b0e419b98f65dd36481337b86ee
CVE-2021-34556 created at 02 Aug 2021 08:29:23
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes