harden indirect calls against BHI attacks

Bug #1967579 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Thadeu Lima de Souza Cascardo
Jammy
In Progress
Medium
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
Branch History Injection is made easier when all indirect calls are funneled through very few points where the retpolines were. By replacing the retpoline jumps by indirect calls whenever retpolines are disabled, BHI attacks are more difficult to execute as the BTB is not as fixed as before.

[Fixes]
Though there are fixes that allow retpoline,lfence to be directly replaced in the indirect calls, given that mitigation is not recommended for most of the situations, that hardening is not as important as the one that works for the spectre_v2=off option (the default one for systems with eIBRS). This latter one is present starting with 5.13, but backporting to 5.4 might be a good measure.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1967579

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: Incomplete → In Progress
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
importance: Undecided → Medium
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-lowlatency/5.15.0-27.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-27.28

---------------
linux (5.15.0-27.28) jammy; urgency=medium

  * jammy/linux: 5.15.0-27.28 -proposed tracker (LP: #1968954)

 -- Paolo Pisati <email address hidden> Thu, 14 Apr 2022 06:46:57 +0200

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Juerg Haefliger (juergh) wrote :

Fix released so adding tag 'verification-done-jammy'.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-5.15/5.15.0-32.33~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers