x86/srso: AMD Speculative RAS Overflow (Inception) Mitigation CVE-2023-20569 (!2991) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Waiman Long requested to merge llong1/centos-stream-9:bz2230381_srso into main Aug 28, 2023

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2230381
CVE: CVE-2023-20569
MR: !2991 (closed)

AMD Speculative Return Address Stack (RAS) Overflow (aka Inception, CVE-2023-20569) is a security vulnerability found in AMD Zen 1-4 processors. It is also called Return Address Predictor (RAP) velunerability.

The mitigation works by ensuring all RET instructions speculate to a controlled location, similar to how speculation is controlled in the retpoline sequence. To accomplish this, the __x86_return_thunk forces the CPU to mispredict every function return using a 'safe return' sequence.

To ensure the safety of this mitigation, the kernel must ensure that the safe return sequence is itself free from attacker interference. In Zen3 and Zen4, this is accomplished by creating a BTB alias between the untraining function srso_untrain_ret_alias() and the safe return function srso_safe_ret_alias() which results in evicting a potentially poisoned BTB entry and using that safe one for all function returns.

In older Zen1 and Zen2, this is accomplished using a reinterpretation technique similar to Retbleed one: srso_untrain_ret() and srso_safe_ret().

This MR also includes some miscellaneous fixes including the Zen1 quotient data leak after a division by 0 (CVE-2023-20588).

Signed-off-by: Waiman Long longman@redhat.com

Edited Aug 28, 2023 by Waiman Long

x86/srso: AMD Speculative RAS Overflow (Inception) Mitigation CVE-2023-20569

Merge request reports