Bug 2167288 (CVE-2023-0045) - CVE-2023-0045 kernel: Bypassing Spectre-BTI User Space Mitigations
Summary: CVE-2023-0045 kernel: Bypassing Spectre-BTI User Space Mitigations
Keywords:
Status: NEW
Alias: CVE-2023-0045
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2167418 2167419 2167420 2167421
Blocks: 2167265
TreeView+ depends on / blocked
 
Reported: 2023-02-06 06:25 UTC by Sandipan Roy
Modified: 2023-12-27 06:53 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. This issue occurs due to a failure mitigating the Spectre-BTI attack (using the kernel API), as IBPB is not issued during the syscall until the next schedule, leaving the system vulnerable.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-02-06 06:25:57 UTC 
While testing the success rate of Spectre-BTI attacks, It was observed that the kernel does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. 

This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The behavior is only corrected after a reschedule of the taks happens. Furthermore, the kernel entrance (due to the syscall itself), does not issue an IBPB in the default scenarios (i.e., when the kernel protects itself via retpoline or eIBRS).

Refer:
https://github.com/es0j/CVE-2023-0045/blob/main/README.md
https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8
Note You need to log in before you can comment on or make changes to this bug.