发布时间: 2023年3月4日
修改时间: 2024年10月31日
The Linux kernel does not correctly mitigate SMT attacks, as discoveredthrough a strange pattern in the kernel API using STIBP as a mitigation[1<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving theprocess exposed for a short period of time after a syscall. The kernel alsodoes not issue an IBPB immediately during the syscall.The ib_prctl_set [2<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467>]functionupdates the Thread Information Flags (TIFs) for the task and updates theSPEC_CTRL MSR on the function __speculation_ctrl_update [3<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/process.c#L557>],but the IBPB is only issued on the next schedule, when the TIF bits arechecked. This leaves the victim vulnerable to values already injected onthe BTB, prior to the prctl syscall.The behavior is only corrected after a reschedule of the task happens.Furthermore, the kernel entrance (due to the syscall itself), does notissue an IBPB in the default scenarios (i.e., when the kernel protectsitself via retpoline or eIBRS).
| NVD | openEuler | |
|---|---|---|
| Confidentiality | High | High |
| Attack Vector | Network | Local |
| CVSS评分 | 7.5 | 5.1 |
| Attack Complexity | Low | High |
| Privileges Required | None | None |
| Scope | Unchanged | Unchanged |
| Integrity | None | None |
| User Interaction | None | None |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2023-2102 | kernel security update | 2023年3月4日 |
| KylinSec-SA-2023-2110 | kernel security update | 2023年3月10日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | kernel | Fixed |
| KY3.4-5A | kernel | Fixed |
| KY3.5.1 | kernel | Fixed |
| KY3.5.2 | kernel | Fixed |
