Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87h82p12eh.fsf@mpe.ellerman.id.au>
Date: Thu, 28 Nov 2019 07:37:42 +1100
From: Michael Ellerman <mpe@...erman.id.au>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-18660: Linux kernel: powerpc: missing Spectre-RSB mitigation

The Linux kernel for powerpc fails to activate the mitigation for Spectre-RSB
(Return Stack Buffer, aka. ret2spec) on context switch, on CPUs prior to Power9
DD2.3.

This allows a process to poison the RSB (called Link Stack on Power CPUs) and
possibly misdirect speculative execution of another process. If the victim
process can be induced to execute a leak gadget then it may be possible to
extract information from the victim via a side channel.

Mitigation for Spectre-RSB was introduced in commit:
  ee13cb249fab (“powerpc/64s: Add support for software count cache flush”)

Which was originally merged in v4.19.

However that commit incorrectly tied the code to flush the link stack to a
firmware feature which is only enabled on newer CPUs (P9N DD2.3 or later), when
it should have been applied to all CPUs that are affected by Spectre v2.

The fix is to enable the link stack flush on all CPUs that have any mitigation
of Spectre v2 in userspace enabled.

This issue is assigned CVE-2019-18660.

CVSS 3.1 Score: 5.6
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

This issue was discovered by Anthony Steinhauser of Google's Safeside Project.

Additionally we have determined that when returning from a guest, there is the
possibility that poisoned values on the link stack could be used by function
returns in the host kernel. To mitigate this we have added a flush of the link
stack in the guest exit path.

The fix is in mainline as:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad

And the KVM fix is:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af2e8c68b9c5403f77096969c516f742f5bb29e0

Both will be released in v5.5-rc1.

There's a test case attached, extracted from Google's safeside project. It can
be built with:
  $ g++ -O2 -Wall -std=c++11 -m64 -o ret2spec_recursion_ca ret2spec_recursion_ca.cc

Output on an unpatched system:
  $ ./ret2spec_recursion_ca
  Leaking the string: It's a s3kr3t!!!
  16 bytes successfully leaked
  FAIL! Was able to leak the secret

vs patched:
  $ ./ret2spec_recursion_ca
  Leaking the string: ????????????????
  0 bytes successfully leaked
  PASS! Unable to leak the secret

cheers


View attachment "ret2spec_recursion_ca.cc" of type "text/plain" (15243 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.