CVE-2021-35477 log

Source
Severity Medium
Remote No
Type Information disclosure
Description 
An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel.

When protecting memory operations against Speculative Store Bypass, the technique used by the BPF verifier to manage speculation is unreliable. Specifically, each potentially problematic memory store operations is sanitized by inserting a preempting store of zero value. The preempting store is incorrectly assumed to complete "fast" as it only depends on the BPF stack frame pointer. However a few different scenarios have been identified where this assumption is invalid, by demonstrating a dependent load instruction to speculatively execute ahead of the preempting store. Practical attacks have been shown to disclose content of arbitrary kernel memory via a side-channel.
Group Package Affected Fixed Severity Status Ticket
AVG-2257 linux-lts 5.10.55-1 5.10.56-1 Medium Fixed
AVG-2256 linux-zen 5.13.7.zen1-1 5.13.8.zen1-1 Medium Fixed
AVG-2255 linux 5.13.7.arch1-1 5.13.8.arch1-1 Medium Fixed
AVG-2234 linux-hardened 5.12.19.hardened1-1 5.13.13.hardened1-1 Medium Fixed
References 
https://www.openwall.com/lists/oss-security/2021/08/01/3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.8&id=ddab060f996e17b38bb181c5fd11a83fd1bfa0df
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.8&id=0b27bdf02c400684225ee5ee99970bcbf5082282
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.56&id=bea9e2fd180892eba2574711b05b794f1d0e7b73
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.56&id=0e9280654aa482088ee6ef3deadef331f5ac5fb0