Bug 2254156 (CVE-2020-12965, SLAM)
| Summary: | CVE-2020-12965 hw: amd: Spectre based on Linear Address Masking | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dvlasenk, ezulian, hkrzesin, jarod, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, wcosta, williams, wmealing, ycote, ykopkova, zhijwang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in AMD CPUs. When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits, potentially resulting in data leakage.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2254157 | ||
More Details: ------------- Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software's responsibility to protect itself against Spectre v1," Arm said in an advisory. "The described techniques only increase the attack surface of existing vulnerabilities such as Spectre v2 or BHB by augmenting the number of exploitable gadgets." AMD has pointed to current Spectre v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance prior to the future release of Intel processors that support LAM. Linux maintainers have developed patches to disable LAM by default. |
A new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI). "SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory. The first page lists these processors as affected: - Existing AMD CPUs vulnerable to CVE-2020-12965; - Future Intel CPUs supporting LAM (both 4- and 5-level paging); - Future AMD CPUs supporting UAI and 5-level paging; - Future Arm CPUs supporting TBI and 5-level paging. as it takes advantage of CPU features which allow masking off some bits of pointer addresses to store additional data in, such as Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI), or ARM's Top-byte Ignore (TBI). Refer: https://www.openwall.com/lists/oss-security/2023/12/05/3