Spectre-related flaw in Linux Kernel uncovered by Google researchers
Google’s product security response team has discovered a Spectre-related vulnerability in Linux kernel version 6.2, extending the threat posed by the bug that has plagued hardware and software vendors since 2018. The medium-severity flaw was reported to cloud service providers on December 31, 2022, and Linux was fixed on February 27, 2023.
The flaw was detected when conventional IBRS, rather than improved IBRS, was enabled, and the kernel contained some logic that decided that Single Thread Indirect Branch Predictors (STIBP) were not required. Due to the IBRS bit being erased while returning to user space with old IBRS, this left user space threads exposed to cross-thread branch target injection, which STIBP safeguards against.
The bug, present in Kernel 6.2, implements an optimization that disables STIBP if the mitigation is IBRS or eIBRS. However, IBRS doesn’t mitigate simultaneous multithreading attacks on user space as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for bare metal machines without eIBRS support also triggers the bug. The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread. The consequence of the attack is potential information exposure, such as leaked private keys, through this pernicious problem.
The moniker Spectre describes a set of vulnerabilities that abuse speculative execution, a processor performance optimization in which potential instructions are executed in advance to save time. Spectre v2 – the variant implicated in this particular vulnerability – relies on timing side-channels to measure the misprediction rates of indirect branch prediction to infer the contents of protected memory. This is far from optimal in a cloud environment with shared hardware.
After The Register reported on the scramble to fix the Meltdown and Spectre bugs, Intel published details about Indirect Branch Restricted Speculation (IBRS), a mechanism to restrict speculation of indirect branches. IBRS offers a defense against Spectre v2, which Intel calls Branch Target Injection. The bug hunters who identified the issue found that Linux user space processes to defend against Spectre v2 did not work on VMs of at least one major cloud provider.
Rodrigo Rubira Branco (BSDaemon) and José Luiz discovered the flaw, and KP Singh, part of Google’s kernel team, worked on the fix and coordinated with the Linux maintainers to resolve the issue. The fix removed basic IBRS from the spectre_v2_in_ibrs_mode() check to keep STIBP on by default.
In conclusion, the Spectre-related flaw in version 6.2 of the Linux kernel, discovered by Google’s product security response team, left applications open to attack from other processes running on the same physical core in another hyperthread. The vulnerability was discovered when plain IBRS was enabled, not enhanced IBRS, leaving user space threads vulnerable to cross-thread branch target injection, which STIBP protects against. The vulnerability was reported to cloud service providers on December 31, 2022, and was patched in Linux on February 27, 2023.
The sources for this piece include an article in TheRegister.