Bug 2061712 (CVE-2022-0001)

Summary: CVE-2022-0001 hw: cpu: intel: Branch History Injection (BHI)
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, bhu, brdeoliv, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hkrzesin, jarod, jburrell, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lzampier, mvanderw, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. The Branch History Injection (BHI) describes a specific form of intra-mode BTI. This flaw allows an unprivileged attacker to manipulate the branch history before transitioning to supervisor or VMX root mode. This issue is an effort to cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This execution is possible since the relevant branch history may contain branches taken in previous security contexts, and in particular, in other predictor modes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 17:16:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2062155, 2062156, 2062157, 2062158, 2062159, 2062160, 2062161, 2062635    
Bug Blocks: 2012088    

Description Petr Matousek 2022-03-08 11:43:21 UTC 
Branch History Injection (BHI) describes a specific form of intra-mode BTI (bug CVE-2022-0001), where an unprivileged attacker may manipulate branch history before transitioning to supervisor or VMX root mode in an effort to cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This may be possible since the relevant branch history may contain branches taken in previous security contexts, and in particular, in other predictor modes.
Comment 7 errata-xmlrpc 2022-05-10 14:41:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 8 errata-xmlrpc 2022-05-10 14:47:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 9 Product Security DevOps Team 2022-05-11 17:16:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0001