| 2024-04-11 05:41:21 |
Andrea Righi |
bug |
|
|
added bug |
| 2024-04-11 05:41:30 |
Andrea Righi |
nominated for series |
|
Ubuntu Noble |
|
| 2024-04-11 05:41:30 |
Andrea Righi |
bug task added |
|
linux (Ubuntu Noble) |
|
| 2024-04-11 05:50:15 |
Andrea Righi |
linux (Ubuntu Noble): status |
New |
Fix Committed |
|
| 2024-04-11 05:50:52 |
Andrea Righi |
description |
[Impact]
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0.
The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.
Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF.
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S hardware control if it's available on the system CPUs, otherwise a proper software sequence will be deployed at VMexit.
[Regression potential]
We may experience performance regressions with this new mitigation enabled, especially in VMs and CPUs that don't have the BHI hardware support capability (due to the extra software sequence executed at VMexit). |
[Impact]
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0.
The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.
Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S hardware control if it's available on the system CPUs, otherwise a proper software sequence will be deployed at VMexit.
[Regression potential]
We may experience performance regressions with this new mitigation enabled, especially in VMs and CPUs that don't have the BHI hardware support capability (due to the extra software sequence executed at VMexit). |
|
| 2024-04-11 06:21:24 |
Andrea Righi |
summary |
Backport mitigations for the native BHI hardware vulnerabilty |
Apply mitigations for the native BHI hardware vulnerabilty |
|
| 2024-04-11 06:30:05 |
Andrea Righi |
description |
[Impact]
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0.
The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.
Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S hardware control if it's available on the system CPUs, otherwise a proper software sequence will be deployed at VMexit.
[Regression potential]
We may experience performance regressions with this new mitigation enabled, especially in VMs and CPUs that don't have the BHI hardware support capability (due to the extra software sequence executed at VMexit). |
[Impact]
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0.
The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.
Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S hardware control if it's available on the system CPUs, otherwise a proper software sequence will be executed at VMexit.
NOTE: we may get these changes via stable update in 6.8, when that happens we can drop this backport and apply the patch set like any other regular stable update.
[Regression potential]
We may experience performance regressions with this new mitigation enabled, especially in VMs and CPUs that don't have the BHI hardware support capability (due to the extra software sequence executed at VMexit). |
|
| 2024-04-19 20:56:10 |
Launchpad Janitor |
linux (Ubuntu Noble): status |
Fix Committed |
Fix Released |
|
