x86/speculation: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373) (!1249) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Waiman Long requested to merge llong1/centos-stream-9:bz2115086_retbleed2 into main Aug 09, 2022

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2115086
CVE: CVE-2022-26373
MR: !1249 (merged)
Depends: https://bugzilla.redhat.com/2090231

On certain processors with eIBRS, in some situations, shortly after an RSB-barrier: the linear address following the most recent near CALL2 instruction prior to a VM exit may be used as the RSB prediction for the first near RET instruction executed after VM exit that does not have a prior corresponding CALL instruction that was also executed after VM exit. This document refers to a RET without a corresponding CALL after an RSB- barrier as an unbalanced RET. This vulnerability is related to Retbleed.

Operating system (OS) and virtual machine manager (VMM) software that could potentially execute an unbalanced RET can use a short software sequence to mitigate this issue. Note that software which does not execute potentially affected RET instructions (such as when “RSB stuffing” is used) is not affected. The target that may be used across an RSB-barrier is limited to the most-recent CALL prior to the barrier. A cross-barrier RSB target will not be used for RET predictions that are made after the first post- barrier CALL retires.

The last 2 patches of this MR fixes the CVE from the kernel perspective. The other six patches are additional follow-up Retbleed patches that are not included in the Retbleed MR.

Signed-off-by: Waiman Long longman@redhat.com

Edited Aug 09, 2022 by Waiman Long

x86/speculation: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)

Merge request reports