Bug 2119127 (CVE-2022-23824) - CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
Summary: CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
Keywords:
Status: NEW
Alias: CVE-2022-23824
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2141263 2141273 2141274 2141275 2141276 2141277 2141278 2141279 2141280 2141281 2141282 2141283 2141284 2141285 2141286 2141287 2141288 2141289 2141290 2141291 2141292 2141293 2141294 2141295 2141296 2141297 2141298 2209638 2209639 2210536 2210537 2213229 2213230 2213231 2213232
Blocks: 2097540
TreeView+ depends on / blocked
 
Reported: 2022-08-17 15:41 UTC by Alex
Modified: 2023-09-26 20:52 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. The AMD CPUs can be attacked similar to the previously known Spectre Variant 2 (CVE-2017-5715). This issue affects AMD CPUs where the OS relies on IBPB to flush the return address predictor. As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
Clone Of:
Environment:
Last Closed: 2022-11-09 10:37:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Alex 2022-08-17 15:41:12 UTC 
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

This issue (CVE-2022-23824 or AMD-SN-1040) related to CVE-2017-5715 previously known as Spectre Variant 2. As part of our efforts to continue improving security features, AMD has investigated issues related to CVE-2017-5715 in the recent months. Previously notified of one of the potential issues related to CVE-2017-5715 (in AMD-SN-1036). In some situations, IBPB may fail to prevent return branch predictions from being specified by pre-IBPB branch targets leading to potential information disclosure.

Reference:
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Comment 5 Alex 2022-11-09 11:14:53 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2141263]
Comment 17 Lucas Zampieri 2023-05-26 13:24:46 UTC 
Thank you Alex, but are we still missing the 8.9.y bz?  Or this is supposed to be merged on Y?
Comment 24 Ian Wienand 2023-08-24 04:50:05 UTC 
I have a look at the related RHEL-8 side of things, and per my comment [1] I believe that the same buffer stacking on the RHEL-9 branch are also on all RHEL-8 branches, and enabled by the spectrev2 mitigation.

I'm assuming that, based on that, the RHEL-8 trackers should be closed in the same was the 9 trackers from comment #23?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2210536#c3
Comment 25 Ian Wienand 2023-08-24 04:51:17 UTC 
I mean "return stack buffer stuffing" sorry ...
Note You need to log in before you can comment on or make changes to this bug.