A vulnerability has been identified in the Linux kernel (CVE-2021-33624) that could allow the eBPF subsystem to be used to bypass protection against Specter class vulnerabilities that could allow inferring the contents of memory by creating conditions for speculative execution of certain operations. The Specter attack requires the presence of a certain sequence of commands in the privileged code, leading to the speculative execution of instructions. By manipulating the BPF programs passed for execution, it is possible to generate such instructions in eBPF and leak the contents of the kernel memory and arbitrary areas of physical memory through third-party channels.
The vulnerability is caused by flaws in the verifier, which is used to detect errors and invalid activity in BPF programs. The verifier enumerates possible code execution paths, but skips branching options that are invalid from the point of view of the semantics of the instruction set architecture. When executing a BPF program, such branching options, not taken into account by the verifier, can be incorrectly predicted by the processor and executed in a speculative mode. For example, when analyzing the “load” operation, the verifier expects that the instruction uses a register with an address whose value is always within the specified limits, but an attacker can create conditions under which the processor will try to speculatively perform an operation with an address that does not match the verification conditions.
The problem has been present since the release of the 4.15 kernel and has been fixed in the form of patches (1, 2, 3, 4). In distributions, the vulnerability is still unpatched (Debian, RHEL, Ubuntu, Fedora, SUSE, Arch).
Additionally, you can note a note about the impact on the performance of tools for protecting against vulnerabilities of the Specter class. This note summarizes the optimization results of the rr (Record and Replay) debugger, which was once created by Mozilla to debug hard-to-repeat errors in Firefox. Caching the system calls used to check for the existence of directories reduced the execution of the "rr sources" operation for the test project from 3 minutes 19 seconds to 36 seconds.
The author of the optimization decided to check how much the performance will change after disabling protection from Specter. After booting the system with the “mitigations=off” parameter, the execution time for “rr sources” without optimization was 2 minutes 5 seconds (1.6 times faster), and with optimization it was 33 seconds (9% faster). Interestingly, disabling protection from Specter not only reduced the execution time of the kernel-level code by a factor of 1.4 (from 2m9s to 1m32s), but also reduced the execution time in user-space by half (from 1m9s to 0m33s), presumably due to a decrease in efficiency. operation of the CPU cache and TLB flushes with Specter protection enabled.
Source: opennet.ru