Bug 2167288 (CVE-2023-0045) - CVE-2023-0045 kernel: Bypassing Spectre-BTI User Space Mitigations
Summary: CVE-2023-0045 kernel: Bypassing Spectre-BTI User Space Mitigations
Status: NEW
Alias: CVE-2023-0045
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Red Hat2167419 Red Hat2167421 Red Hat2167418 Red Hat2167420
Blocks: Embargoed2167265
TreeView+ depends on / blocked
Reported: 2023-02-06 06:25 UTC by Sandipan Roy
Modified: 2023-05-12 21:13 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. This issue occurs due to a failure mitigating the Spectre-BTI attack (using the kernel API), as IBPB is not issued during the syscall until the next schedule, leaving the system vulnerable.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-02-06 06:25:57 UTC
The Linux kernel does not correctly mitigate SMT attacks, as discovered
through a strange pattern in the kernel API using STIBP as a mitigation[1
<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving the
process exposed for a short period of time after a syscall. The kernel also
does not issue an IBPB immediately during the syscall.
The ib_prctl_set [2
updates the Thread Information Flags (TIFs) for the task and updates the
SPEC_CTRL MSR on the function __speculation_ctrl_update [3
but the IBPB is only issued on the next schedule, when the TIF bits are
checked. This leaves the victim vulnerable to values already injected on
the BTB, prior to the prctl syscall.
The behavior is only corrected after a reschedule of the task happens.
Furthermore, the kernel entrance (due to the syscall itself), does not
issue an IBPB in the default scenarios (i.e., when the kernel protects
itself via retpoline or eIBRS).

Note You need to log in before you can comment on or make changes to this bug.