Whoops: The Linux Kernel's Spectre RSB Mitigation For PowerPC Missed Covering Some CPUs
Even with all the light shed on Spectre over the past nearly two years, with the Spectre RSB (Return Stack Buffer) disclosure that did affect IBM POWER processors it turns out the mitigations applied didn't cover all of the CPUs that should have been in place until this week.
This lack of the Linux kernel not applying the Spectre RSB mitigation to all affected PowerPC processors resulted in CVE-2019-18660.
The commit that landed yesterday in mainline Git explained:
Since yesterday the fix has been in Linux 5.5 Git and already back-ported to the relevant stable trees. POWER9 DD2.3 is an updated Nimbus revision where as Power9 D2.2 are most of the POWER9 Sforza / Monza / LaGrange chips currently out there.
This lack of the Linux kernel not applying the Spectre RSB mitigation to all affected PowerPC processors resulted in CVE-2019-18660.
The commit that landed yesterday in mainline Git explained:
We failed to activate the mitigation for Spectre-RSB (Return Stack Buffer, aka. ret2spec) on context switch, on CPUs prior to Power9 DD2.3.
That allows a process to poison the RSB (called Link Stack on Power CPUs) and possibly misdirect speculative execution of another process. If the victim process can be induced to execute a leak gadget then it may be possible to extract information from the victim via a side channel.
The fix is to correctly activate the link stack flush mitigation on all CPUs that have any mitigation of Spectre v2 in userspace enabled.
There's a second commit which adds a link stack flush in the KVM guest exit path. A leak via that path has not been demonstrated, but we believe it's at least theoretically possible.
Since yesterday the fix has been in Linux 5.5 Git and already back-ported to the relevant stable trees. POWER9 DD2.3 is an updated Nimbus revision where as Power9 D2.2 are most of the POWER9 Sforza / Monza / LaGrange chips currently out there.
1 Comment