lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Feb 2023 12:06:12 -0500
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc:     thomas.lendacky@....com
Subject: [FYI PATCH 0/3] Cross-Thread Return Address Predictions vulnerability

Certain AMD processors are vulnerable to a cross-thread return address
predictions bug. When running in SMT mode and one of the sibling threads
transitions out of C0 state, the other thread gets access to twice as many
entries in the RSB, but unfortunately the predictions of the now-halted
logical processor are not purged.  Therefore, the executing processor
could speculatively execute from locations that the now-halted processor
had trained the RSB on.

The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB
when context switching to the idle thread. However, KVM allows a VMM to
prevent exiting guest mode when transitioning out of C0 using the
KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this
behavior. To mitigate the cross-thread return address predictions bug,
a VMM must not be allowed to override the default behavior to intercept
C0 transitions.

These patches introduce a KVM module parameter that, if set, will prevent
the user from disabling the HLT, MWAIT and CSTATE exits.

The patches apply to Linus's tree and (with a one-line context difference)
to the 6.1 stable tree.  They will be applied to the 6.2 and 6.1 trees
through bundles that I have sent to Linus and Greg.

A separate 5.15 backport will come soon.

Thanks,

Paolo

Tom Lendacky (3):
  x86/speculation: Identify processors vulnerable to SMT RSB predictions
  KVM: x86: Mitigate the cross-thread return address predictions bug
  Documentation/hw-vuln: Add documentation for Cross-Thread Return
    Predictions

 .../admin-guide/hw-vuln/cross-thread-rsb.rst  | 92 +++++++++++++++++++
 Documentation/admin-guide/hw-vuln/index.rst   |  1 +
 arch/x86/include/asm/cpufeatures.h            |  1 +
 arch/x86/kernel/cpu/common.c                  |  9 +-
 arch/x86/kvm/x86.c                            | 43 ++++++---
 5 files changed, 133 insertions(+), 13 deletions(-)
 create mode 100644 Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst

-- 
2.39.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ