Bug 2115065 (CVE-2022-26373) - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
Summary: CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-26373
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2115070 2115071 2115072 2115076 2115077 2115078 2115081 2115082 2115069 2115073 2115074 2115075 2115079 2115080 2115083 2115084 2115085 2115086 2115087 2115088 2117008
Blocks: 2115063
TreeView+ depends on / blocked
 
Reported: 2022-08-03 19:34 UTC by Rohit Keshri
Modified: 2023-02-13 21:08 UTC (History)
59 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. In certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
Clone Of:
Environment:
Last Closed: 2022-12-14 14:48:03 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7877 0 None None None 2022-11-09 09:26:48 UTC
Red Hat Product Errata RHBA-2022:9021 0 None None None 2022-12-14 12:03:06 UTC
Red Hat Product Errata RHSA-2022:7337 0 None None None 2022-11-02 16:34:45 UTC
Red Hat Product Errata RHSA-2022:7338 0 None None None 2022-11-02 16:35:12 UTC
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:10:33 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:10:19 UTC
Red Hat Product Errata RHSA-2022:7933 0 None None None 2022-11-15 09:45:44 UTC
Red Hat Product Errata RHSA-2022:8267 0 None None None 2022-11-15 10:48:54 UTC
Red Hat Product Errata RHSA-2022:8973 0 None None None 2022-12-13 16:06:01 UTC
Red Hat Product Errata RHSA-2022:8974 0 None None None 2022-12-13 16:06:35 UTC
Red Hat Product Errata RHSA-2023:0440 0 None None None 2023-01-24 14:40:40 UTC

Description Rohit Keshri 2022-08-03 19:34:20 UTC 
On certain processors with eIBRS, an exception to the two above properties has been identified in some
situations, shortly after an RSB-barrier: the linear address following the most recent near CALL2
instruction prior to a VM exit may be used as the RSB prediction for the first near RET instruction
executed after VM exit that does not have a prior corresponding CALL instruction that was also

executed after VM exit. This document refers to a RET without a corresponding CALL after an RSB-
barrier as an unbalanced RET.

Operating system (OS) and virtual machine manager (VMM) software that could potentially execute an
unbalanced RET can use a short software sequence to mitigate this issue. Note that software which
does not execute potentially affected RET instructions (such as when “RSB stuffing” is used) is not
affected.
The target that may be used across an RSB-barrier is limited to the most-recent CALL prior to the

barrier. A cross-barrier RSB target will not be used for RET predictions that are made after the first post-
barrier CALL retires.

Refer:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html
Comment 5 Todd Cullum 2022-08-09 18:13:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2117008]
Comment 6 Justin M. Forbes 2022-08-15 17:38:34 UTC 
This was fixed for Fedora with the 5.18.17 stable kernel updates.
Comment 7 errata-xmlrpc 2022-11-02 16:34:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7337 https://access.redhat.com/errata/RHSA-2022:7337
Comment 8 errata-xmlrpc 2022-11-02 16:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7338 https://access.redhat.com/errata/RHSA-2022:7338
Comment 9 errata-xmlrpc 2022-11-08 09:10:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
Comment 10 errata-xmlrpc 2022-11-08 10:10:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
Comment 11 errata-xmlrpc 2022-11-15 09:45:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933
Comment 12 errata-xmlrpc 2022-11-15 10:48:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267
Comment 13 errata-xmlrpc 2022-12-13 16:05:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973
Comment 14 errata-xmlrpc 2022-12-13 16:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974
Comment 15 Product Security DevOps Team 2022-12-14 14:47:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26373
Comment 16 errata-xmlrpc 2023-01-24 14:40:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0440 https://access.redhat.com/errata/RHSA-2023:0440
Note You need to log in before you can comment on or make changes to this bug.