Bug 2115065 (CVE-2022-26373) - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
Summary: CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
Keywords:
Status: NEW
Alias: CVE-2022-26373
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2115070 2115071 2115072 2115074 2115076 2115077 2115078 2115079 2115081 2115082 2115083 2115085 2115087 2115069 2115073 2115075 2115080 2115084 2115086 2115088 2117008
Blocks: 2115063
TreeView+ depends on / blocked
 
Reported: 2022-08-03 19:34 UTC by Rohit Keshri
Modified: 2022-11-21 00:29 UTC (History)
59 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw. In certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7877 0 None None None 2022-11-09 09:26:48 UTC
Red Hat Product Errata RHSA-2022:7337 0 None None None 2022-11-02 16:34:45 UTC
Red Hat Product Errata RHSA-2022:7338 0 None None None 2022-11-02 16:35:12 UTC
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:10:33 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:10:19 UTC
Red Hat Product Errata RHSA-2022:7933 0 None None None 2022-11-15 09:45:44 UTC
Red Hat Product Errata RHSA-2022:8267 0 None None None 2022-11-15 10:48:54 UTC

Description Rohit Keshri 2022-08-03 19:34:20 UTC
On certain processors with eIBRS, an exception to the two above properties has been identified in some
situations, shortly after an RSB-barrier: the linear address following the most recent near CALL2
instruction prior to a VM exit may be used as the RSB prediction for the first near RET instruction
executed after VM exit that does not have a prior corresponding CALL instruction that was also

executed after VM exit. This document refers to a RET without a corresponding CALL after an RSB-
barrier as an unbalanced RET.

Operating system (OS) and virtual machine manager (VMM) software that could potentially execute an
unbalanced RET can use a short software sequence to mitigate this issue. Note that software which
does not execute potentially affected RET instructions (such as when “RSB stuffing” is used) is not
affected.
The target that may be used across an RSB-barrier is limited to the most-recent CALL prior to the

barrier. A cross-barrier RSB target will not be used for RET predictions that are made after the first post-
barrier CALL retires.

Refer:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html

Comment 5 Todd Cullum 2022-08-09 18:13:31 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2117008]

Comment 6 Justin M. Forbes 2022-08-15 17:38:34 UTC
This was fixed for Fedora with the 5.18.17 stable kernel updates.

Comment 7 errata-xmlrpc 2022-11-02 16:34:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7337 https://access.redhat.com/errata/RHSA-2022:7337

Comment 8 errata-xmlrpc 2022-11-02 16:35:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7338 https://access.redhat.com/errata/RHSA-2022:7338

Comment 9 errata-xmlrpc 2022-11-08 09:10:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444

Comment 10 errata-xmlrpc 2022-11-08 10:10:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683

Comment 11 errata-xmlrpc 2022-11-15 09:45:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933

Comment 12 errata-xmlrpc 2022-11-15 10:48:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267


Note You need to log in before you can comment on or make changes to this bug.