|
| 1 | + |
| 2 | +.. SPDX-License-Identifier: GPL-2.0 |
| 3 | +
|
| 4 | +Cross-Thread Return Address Predictions |
| 5 | +======================================= |
| 6 | + |
| 7 | +Certain AMD and Hygon processors are subject to a cross-thread return address |
| 8 | +predictions vulnerability. When running in SMT mode and one sibling thread |
| 9 | +transitions out of C0 state, the other sibling thread could use return target |
| 10 | +predictions from the sibling thread that transitioned out of C0. |
| 11 | + |
| 12 | +The Spectre v2 mitigations protect the Linux kernel, as it fills the return |
| 13 | +address prediction entries with safe targets when context switching to the idle |
| 14 | +thread. However, KVM does allow a VMM to prevent exiting guest mode when |
| 15 | +transitioning out of C0. This could result in a guest-controlled return target |
| 16 | +being consumed by the sibling thread. |
| 17 | + |
| 18 | +Affected processors |
| 19 | +------------------- |
| 20 | + |
| 21 | +The following CPUs are vulnerable: |
| 22 | + |
| 23 | + - AMD Family 17h processors |
| 24 | + - Hygon Family 18h processors |
| 25 | + |
| 26 | +Related CVEs |
| 27 | +------------ |
| 28 | + |
| 29 | +The following CVE entry is related to this issue: |
| 30 | + |
| 31 | + ============== ======================================= |
| 32 | + CVE-2022-27672 Cross-Thread Return Address Predictions |
| 33 | + ============== ======================================= |
| 34 | + |
| 35 | +Problem |
| 36 | +------- |
| 37 | + |
| 38 | +Affected SMT-capable processors support 1T and 2T modes of execution when SMT |
| 39 | +is enabled. In 2T mode, both threads in a core are executing code. For the |
| 40 | +processor core to enter 1T mode, it is required that one of the threads |
| 41 | +requests to transition out of the C0 state. This can be communicated with the |
| 42 | +HLT instruction or with an MWAIT instruction that requests non-C0. |
| 43 | +When the thread re-enters the C0 state, the processor transitions back |
| 44 | +to 2T mode, assuming the other thread is also still in C0 state. |
| 45 | + |
| 46 | +In affected processors, the return address predictor (RAP) is partitioned |
| 47 | +depending on the SMT mode. For instance, in 2T mode each thread uses a private |
| 48 | +16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon |
| 49 | +transition between 1T/2T mode, the RAP contents are not modified but the RAP |
| 50 | +pointers (which control the next return target to use for predictions) may |
| 51 | +change. This behavior may result in return targets from one SMT thread being |
| 52 | +used by RET predictions in the sibling thread following a 1T/2T switch. In |
| 53 | +particular, a RET instruction executed immediately after a transition to 1T may |
| 54 | +use a return target from the thread that just became idle. In theory, this |
| 55 | +could lead to information disclosure if the return targets used do not come |
| 56 | +from trustworthy code. |
| 57 | + |
| 58 | +Attack scenarios |
| 59 | +---------------- |
| 60 | + |
| 61 | +An attack can be mounted on affected processors by performing a series of CALL |
| 62 | +instructions with targeted return locations and then transitioning out of C0 |
| 63 | +state. |
| 64 | + |
| 65 | +Mitigation mechanism |
| 66 | +-------------------- |
| 67 | + |
| 68 | +Before entering idle state, the kernel context switches to the idle thread. The |
| 69 | +context switch fills the RAP entries (referred to as the RSB in Linux) with safe |
| 70 | +targets by performing a sequence of CALL instructions. |
| 71 | + |
| 72 | +Prevent a guest VM from directly putting the processor into an idle state by |
| 73 | +intercepting HLT and MWAIT instructions. |
| 74 | + |
| 75 | +Both mitigations are required to fully address this issue. |
| 76 | + |
| 77 | +Mitigation control on the kernel command line |
| 78 | +--------------------------------------------- |
| 79 | + |
| 80 | +Use existing Spectre v2 mitigations that will fill the RSB on context switch. |
| 81 | + |
| 82 | +Mitigation control for KVM - module parameter |
| 83 | +--------------------------------------------- |
| 84 | + |
| 85 | +By default, the KVM hypervisor mitigates this issue by intercepting guest |
| 86 | +attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS |
| 87 | +capability to override those interceptions, but since this is not common, the |
| 88 | +mitigation that covers this path is not enabled by default. |
| 89 | + |
| 90 | +The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on |
| 91 | +using the boolean module parameter mitigate_smt_rsb, e.g.: |
| 92 | + kvm.mitigate_smt_rsb=1 |
0 commit comments