{ "threat_severity" : "Moderate", "public_date" : "2025-03-27T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation", "id" : "2355458", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2355458" }, "cvss3" : { "cvss3_base_score" : "5.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n[...]\n// r6 = 0 or 1 (skalar, unknown user input)\n// r7 = accessible ptr for side channel\n// r10 = frame pointer (fp), to be leaked\n//\nr9 = r10 # fp alias to encourage ssb\n*(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n// lfence added here because of pointer spill to stack.\n//\n// Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n// for no r9-r10 dependency.\n//\n*(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n// 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n// store may be subject to SSB\n//\n// fix: also add an lfence when the slot contained a ptr\n//\nr8 = *(u64 *)(r9 - 8)\n// r8 = architecturally a scalar, speculatively a ptr\n//\n// leak ptr using branch-based cache side channel:\nr8 &= 1 // choose bit to leak\nif r8 == 0 goto SLOW // no mispredict\n// architecturally dead code if input r6 is 0,\n// only executes speculatively iff ptr bit is 1\nr8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n[...]\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\nDo not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses.", "A vulnerability was found in the Linux kernel's eBPF verifier function `check_stack_write()`, where pointer leakage can occur due to insufficient speculative store bypass mitigation. This issue occurs because the original mitigation inserts `lfence` instructions after initializing a stack slot and spilling a pointer to the stack. This does not protect against cases where a stack slot is initialized with a pointer and then overwritten with a scalar. When the overwrite happens, it may be subject to speculative story bypass (SSB), allowing the program to leak the numerical pointer value." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53024\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53024\nhttps://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53024-8d19@gregkh/T" ], "name" : "CVE-2023-53024", "csaw" : false }