Bug 2119127 (CVE-2022-23824)

Summary: CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, chwhite, crwood, ddepaula, debarbos, dvlasenk, ezulian, hdegoede, hkrzesin, hpa, iwienand, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, mvanderw, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. The AMD CPUs can be attacked similar to the previously known Spectre Variant 2 (CVE-2017-5715). This issue affects AMD CPUs where the OS relies on IBPB to flush the return address predictor. As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-09 10:37:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141263, 2141273, 2141274, 2141275, 2141276, 2141277, 2141278, 2141279, 2141280, 2141281, 2141282, 2141283, 2141284, 2141285, 2141286, 2141287, 2141288, 2141289, 2141290, 2141291, 2141292, 2141293, 2141294, 2141295, 2141296, 2141297, 2141298, 2209638, 2209639, 2210536, 2210537, 2213229, 2213230, 2213231, 2213232    
Bug Blocks: 2097540    

Description Alex 2022-08-17 15:41:12 UTC 
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

This issue (CVE-2022-23824 or AMD-SN-1040) related to CVE-2017-5715 previously known as Spectre Variant 2. As part of our efforts to continue improving security features, AMD has investigated issues related to CVE-2017-5715 in the recent months. Previously notified of one of the potential issues related to CVE-2017-5715 (in AMD-SN-1036). In some situations, IBPB may fail to prevent return branch predictions from being specified by pre-IBPB branch targets leading to potential information disclosure.

Reference:
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Comment 5 Alex 2022-11-09 11:14:53 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2141263]
Comment 17 Lucas Zampieri 2023-05-26 13:24:46 UTC 
Thank you Alex, but are we still missing the 8.9.y bz?  Or this is supposed to be merged on Y?
Comment 24 Ian Wienand 2023-08-24 04:50:05 UTC 
I have a look at the related RHEL-8 side of things, and per my comment [1] I believe that the same buffer stacking on the RHEL-9 branch are also on all RHEL-8 branches, and enabled by the spectrev2 mitigation.

I'm assuming that, based on that, the RHEL-8 trackers should be closed in the same was the 9 trackers from comment #23?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2210536#c3
Comment 25 Ian Wienand 2023-08-24 04:51:17 UTC 
I mean "return stack buffer stuffing" sorry ...