Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1672355 (CVE-2019-7308)

Summary: CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, dbaker, jokerman, sthangav, trankin, vdronov, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.20.6 Doc Type: If docs needed, set a value
Doc Text:
A bypass was found for the Spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:21:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672356, 1673617, 1673618, 1673631, 1673632    
Bug Blocks:    

Description Laura Pardo 2019-02-04 17:31:29 UTC
A bypass was found for the spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1711

https://seclists.org/oss-sec/2019/q1/106

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d5564ddcf2a0f5ba3fa1c3a1f8a1b59ad309553

Comment 1 Laura Pardo 2019-02-04 17:31:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1672356]

Comment 5 Vladis Dronov 2019-02-07 16:02:42 UTC
Note:

Currently as of RHEL-7 it is not possible to use eBPF (i.e. to invoke a bpf() syscall) for non-privileged user (i.e. not as "root" user). Thus we do not consider this as a security flaw in RHEL-7. Nevertheless the current intent is to fix this flaw anyway in the upcoming RHEL-7.7.

It will be possible in the upcoming RHEL-8 to invoke a bpf() syscall for a non-root (using a certain kernel boot parameter). This way the kernel becomes tainted (and thus the system not supported by the Red Hat) but still vulnerable. Thus the current intent is to fix this flaw anyway in the upcoming RHEL-8.

Comment 9 Product Security DevOps Team 2019-08-06 13:21:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-7308