A flaw in the Linux Kernel found. First, based on the previous similar CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled.
However, despite this feature, there is still a risk of per-cpu entry area leaks.
In systems with KPTI enabled, only a minimal amount of kernel virtual memory is mapped for users, such as exception/system call entry handlers and any other necessary content for user-to-kernel transitions. However, discovered that the per-cpu entry area was also mapped to user space. As a result, the prefetchnta and prefetcht2 instructions are still effective, allowing us to leak the per-cpu entry area by conducting time-based attacks using prefetch instructions in the address range of 0xfffffe0000000000-0xfffffefffffff000. In fact, due to the insufficiently large address offset range and the step size of 0x3b000, the cpu entry area can be obtained within one or two minutes.
Essentially, this is a CPU-level address leak vulnerability
that affects the vast majority of Intel CPUs (possibly AMD CPUs as well),
due to the inability to resolve the issues introduced by KPTI (Kernel Page
TODO add link to the patch when becomes available.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2217524]