[SRU PR Jammy] CVE-2023-20569 - AMD SRSO

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri Sep 1 01:39:18 UTC 2023 

The following changes since commit 8e01c63c8de30a27a4f87e4f86e69403aaf6aa5b:

  e1000e: Use PME poll to circumvent unreliable ACPI wake (2023-08-31 11:16:50 +0200)

are available in the Git repository at:

  git+ssh://cascardo@git.launchpad.net/~cascardo/ubuntu/+source/linux/+git/jammy srso+master

for you to fetch changes up to 785e38eb6f4343afe59aea187d0a782251c3a9f2:

  Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation (2023-08-31 22:28:42 -0300)

----------------------------------------------------------------

[Impact]
 A side channel vulnerability on some of the AMD CPUs may allow an attacker
 to influence the return address prediction. This may result in speculative
 execution at an attacker-controlled address, potentially leading to
 information disclosure.

[Backport]
Patches have been backported from 5.15.y upstream stable. Minor conflicts
around previous backports of GDS and DIV0 had to be handled.

Backports for 6.1 and 6.2 are on their way.

[Tests]
Tests were run on an AWS Zen1 instance with no IBRS or IBPB. Mitigation
options were toggled and vulnerabilities mitigations reports were as
expected.

An Intel VM was booted with spectre_v2=retpoline.

An AMD Zen3 metal instance was tested as well with an SVM guest booted on top
of it with the same kernel. spec_rstack_overflow report was as expected.

[Potential regression]
This could cause boot problems and also cause some CPU vulnerabilties
mitigations, specially Retbleed, to regress.


----------------------------------------------------------------
Borislav Petkov (AMD) (9):
      x86/srso: Add a Speculative RAS Overflow mitigation
      x86/srso: Add IBPB_BRTYPE support
      x86/srso: Add SRSO_NO support
      x86/srso: Add IBPB
      x86/srso: Add IBPB on VMEXIT
      x86/srso: Tie SBPB bit setting to microcode patch detection
      x86/srso: Explain the untraining sequences a bit more
      x86/srso: Disable the mitigation on unaffected configurations
      x86/srso: Correct the mitigation status when SMT is disabled

Greg Kroah-Hartman (1):
      x86: fix backwards merge of GDS/SRSO bit

Josh Poimboeuf (2):
      x86/srso: Fix return thunks in generated code
      objtool: Add frame-pointer-specific function ignore

Kim Phillips (1):
      x86/cpu, kvm: Add support for CPUID_80000021_EAX

Nick Desaulniers (1):
      x86/srso: Fix build breakage with the LLVM linker

Peter Zijlstra (11):
      x86/cpu: Fix __x86_return_thunk symbol type
      x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
      x86/alternative: Make custom return thunk unconditional
      x86/ibt: Add ANNOTATE_NOENDBR
      x86/cpu: Clean up SRSO return thunk mess
      x86/cpu: Rename original retbleed methods
      x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
      x86/cpu: Cleanup the untrain mess
      x86/static_call: Fix __static_call_fixup()
      objtool/x86: Fixup frame-pointer vs rethunk
      objtool/x86: Fix SRSO mess

Petr Pavlu (1):
      x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG

Sean Christopherson (1):
      x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()

Thadeu Lima de Souza Cascardo (1):
      Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation

 Documentation/admin-guide/hw-vuln/index.rst     |   1 +
 Documentation/admin-guide/hw-vuln/srso.rst      | 133 ++++++++++++++++
 Documentation/admin-guide/kernel-parameters.txt |  11 ++
 arch/x86/Kconfig                                |   7 +
 arch/x86/include/asm/cpufeature.h               |   7 +-
 arch/x86/include/asm/cpufeatures.h              |  11 +-
 arch/x86/include/asm/disabled-features.h        |   3 +-
 arch/x86/include/asm/msr-index.h                |   1 +
 arch/x86/include/asm/nospec-branch.h            |  34 ++--
 arch/x86/include/asm/processor.h                |   2 +
 arch/x86/include/asm/required-features.h        |   3 +-
 arch/x86/kernel/cpu/amd.c                       |  19 +++
 arch/x86/kernel/cpu/bugs.c                      | 197 ++++++++++++++++++++++++
 arch/x86/kernel/cpu/common.c                    |  15 +-
 arch/x86/kernel/static_call.c                   |  13 ++
 arch/x86/kernel/vmlinux.lds.S                   |  38 ++++-
 arch/x86/kvm/cpuid.c                            |   3 +
 arch/x86/kvm/reverse_cpuid.h                    |   1 +
 arch/x86/kvm/svm/svm.c                          |   4 +-
 arch/x86/kvm/svm/vmenter.S                      |   3 +
 arch/x86/lib/retpoline.S                        | 158 +++++++++++++++++--
 debian.master/config/annotations                |   1 +
 drivers/base/cpu.c                              |   8 +
 include/linux/cpu.h                             |   2 +
 include/linux/objtool.h                         |  28 ++++
 tools/include/linux/objtool.h                   |  28 ++++
 tools/objtool/arch/x86/decode.c                 |   6 +
 tools/objtool/check.c                           |  43 ++++--
 tools/objtool/include/objtool/arch.h            |   1 +
 tools/objtool/include/objtool/elf.h             |   1 +
 30 files changed, 738 insertions(+), 44 deletions(-)
 create mode 100644 Documentation/admin-guide/hw-vuln/srso.rst

More information about the kernel-team mailing list