A vulnerability has been found in the Linux kernel (CVE-2019-7308), which makes it possible to bypass the protection against conducting Spectre v1 attacks by using the eBPF subsystem. The problem is fixed in kernel releases 4.19.19 and 4.20.6, but still remains uncorrected in distributions (Debian, RHEL, SUSE, Ubuntu).
In order to read data from privileged memory areas using Specter v1 attack, you must have a certain sequence of commands in the privileged code. Such combinations of commands were removed from the Linux kernel, but the developers did not take into account the fact that the eBPF subsystem allows initiating execution of arbitrary BPF programs in the context of the kernel. Through BPF bytecode manipulation, an attacker can accomplish the eBPF JIT compiler, which is necessary for making Specter v1’s attack, a combination of machine instructions, which lead to speculative access to external memory areas when performing operations with the pointer.
Additionally, there is a suggestion to include a patch in the Linux kernel that implements an additional mode for disabling Specter protection based on the use of PSTATE-bits SSBS (Speculative Store Bypass Safe). Such protection significantly reduces performance, so it is enabled at the application level using the PR_SET_SPECULATION_CTRL command in prctl (as a rule, programs with JIT, for example, Java, are subject to attack). The problem is that when you disable speculative operations, this state is inherited for child processes. To disable security inheritance (blocking inheritance of speculative operations) when starting new processes, the PR_SPEC_DISABLE_NOEXEC flag has been proposed.