Date: Thu, 28 Nov 2019 07:37:42 +1100 From: Michael Ellerman <mpe@...erman.id.au> To: oss-security@...ts.openwall.com Subject: CVE-2019-18660: Linux kernel: powerpc: missing Spectre-RSB mitigation The Linux kernel for powerpc fails to activate the mitigation for Spectre-RSB (Return Stack Buffer, aka. ret2spec) on context switch, on CPUs prior to Power9 DD2.3. This allows a process to poison the RSB (called Link Stack on Power CPUs) and possibly misdirect speculative execution of another process. If the victim process can be induced to execute a leak gadget then it may be possible to extract information from the victim via a side channel. Mitigation for Spectre-RSB was introduced in commit: ee13cb249fab (“powerpc/64s: Add support for software count cache flush”) Which was originally merged in v4.19. However that commit incorrectly tied the code to flush the link stack to a firmware feature which is only enabled on newer CPUs (P9N DD2.3 or later), when it should have been applied to all CPUs that are affected by Spectre v2. The fix is to enable the link stack flush on all CPUs that have any mitigation of Spectre v2 in userspace enabled. This issue is assigned CVE-2019-18660. CVSS 3.1 Score: 5.6 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N This issue was discovered by Anthony Steinhauser of Google's Safeside Project. Additionally we have determined that when returning from a guest, there is the possibility that poisoned values on the link stack could be used by function returns in the host kernel. To mitigate this we have added a flush of the link stack in the guest exit path. The fix is in mainline as: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad And the KVM fix is: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af2e8c68b9c5403f77096969c516f742f5bb29e0 Both will be released in v5.5-rc1. There's a test case attached, extracted from Google's safeside project. It can be built with: $ g++ -O2 -Wall -std=c++11 -m64 -o ret2spec_recursion_ca ret2spec_recursion_ca.cc Output on an unpatched system: $ ./ret2spec_recursion_ca Leaking the string: It's a s3kr3t!!! 16 bytes successfully leaked FAIL! Was able to leak the secret vs patched: $ ./ret2spec_recursion_ca Leaking the string: ???????????????? 0 bytes successfully leaked PASS! Unable to leak the secret cheers View attachment "ret2spec_recursion_ca.cc" of type "text/plain" (15243 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.