Bug 2115065 (CVE-2022-26373)

Summary: CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, aquini, bhu, brdeoliv, bskeggs, chwhite, crwood, dbohanno, ddepaula, debarbos, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, llong, longman, lzampier, masami256, mchehab, mvanderw, nmurray, pmatouse, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, steved, tyberry, vkumar, walters, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. In certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-14 14:48:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115069, 2115070, 2115071, 2115072, 2115073, 2115074, 2115075, 2115076, 2115077, 2115078, 2115079, 2115080, 2115081, 2115082, 2115083, 2115084, 2115085, 2115086, 2115087, 2115088, 2117008    
Bug Blocks: 2115063    

Description Rohit Keshri 2022-08-03 19:34:20 UTC 
On certain processors with eIBRS, an exception to the two above properties has been identified in some
situations, shortly after an RSB-barrier: the linear address following the most recent near CALL2
instruction prior to a VM exit may be used as the RSB prediction for the first near RET instruction
executed after VM exit that does not have a prior corresponding CALL instruction that was also

executed after VM exit. This document refers to a RET without a corresponding CALL after an RSB-
barrier as an unbalanced RET.

Operating system (OS) and virtual machine manager (VMM) software that could potentially execute an
unbalanced RET can use a short software sequence to mitigate this issue. Note that software which
does not execute potentially affected RET instructions (such as when “RSB stuffing” is used) is not
affected.
The target that may be used across an RSB-barrier is limited to the most-recent CALL prior to the

barrier. A cross-barrier RSB target will not be used for RET predictions that are made after the first post-
barrier CALL retires.

Refer:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html
Comment 5 Todd Cullum 2022-08-09 18:13:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2117008]
Comment 6 Justin M. Forbes 2022-08-15 17:38:34 UTC 
This was fixed for Fedora with the 5.18.17 stable kernel updates.
Comment 7 errata-xmlrpc 2022-11-02 16:34:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7337 https://access.redhat.com/errata/RHSA-2022:7337
Comment 8 errata-xmlrpc 2022-11-02 16:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7338 https://access.redhat.com/errata/RHSA-2022:7338
Comment 9 errata-xmlrpc 2022-11-08 09:10:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
Comment 10 errata-xmlrpc 2022-11-08 10:10:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
Comment 11 errata-xmlrpc 2022-11-15 09:45:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933
Comment 12 errata-xmlrpc 2022-11-15 10:48:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267
Comment 13 errata-xmlrpc 2022-12-13 16:05:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973
Comment 14 errata-xmlrpc 2022-12-13 16:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974
Comment 15 Product Security DevOps Team 2022-12-14 14:47:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26373
Comment 16 errata-xmlrpc 2023-01-24 14:40:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0440 https://access.redhat.com/errata/RHSA-2023:0440