A flaw was found in the Linux kernel, where a BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack. This issue occurs when the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. The highest threat from this vulnerability is to confidentiality.

Mitigation

The default Red Hat Enterprise Linux kernel setting prevents unprivileged users from being able to use eBPF via the kernel.unprivileged_bpf_disabled sysctl. As such, exploiting this issue would require a privileged user with CAP_SYS_ADMIN or root.

For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 (default) would mean that unprivileged users cannot use eBPF. Otherwise, to disable eBPF for unprivileged users, add:

kernel.unprivileged_bpf_disabled = 1

To the file "/etc/sysctl.d/disable-ebpf.conf"

Then running the following command as root:

sudo sysctl --system