In the Linux kernel detected Vulnerability (cve-2021-33624 ), which allows using the EBPF subsystem to bypass protection against Vulnerabilities of the Spectre class, which gives you the ability to determine the contents of memory as a result of creating Conditions for speculative fulfillment of certain operations. For SPECTRE attack requires a certain sequence of commands in a privileged code, leading to speculative instructions. Through manipulation with transmitted BPF programs, you can generate similar instructions in EBPF and achieve leakage by third-party kernel memory channels and arbitrary physical memory areas.
Vulnerability is caused by flaws in the verifier, which is used to identify errors and invalid activity in BPF programs. The verifier moves the possible way to perform code, but misses the branch options, invalid from the point of view of the semantics of the command set architecture. When performing a BPF program, such branching options that are not considered verifier can be incorrectly predicted by the processor and are made in speculative mode. For example, when analyzing the “Load operation”, the verifier calculates that the register is used in the instruction with the address, the value of which is always in the specified boundaries, but the attacker can create conditions under which the processor will try speculatively perform an operation with an address that does not correspond to the testing conditions.
The problem is manifested from the release of the kernel 4.15 and is eliminated in the form of patches ( 1 , 2 , 3 4 ). In distributions, the vulnerability is still defective ( Debian , rhel , ubuntu , Fedora , SUSE , Arch ).
Additionally, it can be noted note About the effect on productivity to protect against vulnerabilities Spectre class.
The note is summarized the results of the Optimization of the debugger’s optimization RR