Bug 2208357 (CVE-2022-42336) - CVE-2022-42336 xen: Mishandling of guest SSBD selection on AMD hardware
Summary: CVE-2022-42336 xen: Mishandling of guest SSBD selection on AMD hardware
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2022-42336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2208358
Blocks: 2207739
TreeView+ depends on / blocked
 
Reported: 2023-05-18 17:15 UTC by Anten Skrabec
Modified: 2023-05-18 22:42 UTC (History)
0 users

Fixed In Version:
Doc Type: ---
Doc Text:
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active.
Clone Of:
Environment:
Last Closed: 2023-05-18 22:42:06 UTC
Embargoed:


Attachments (Terms of Use)

Description Anten Skrabec 2023-05-18 17:15:55 UTC
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active.

https://xenbits.xenproject.org/xsa/advisory-431.txt

Comment 1 Anten Skrabec 2023-05-18 17:16:11 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2208358]

Comment 2 Product Security DevOps Team 2023-05-18 22:42:05 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.