ACK: [SRU PR Jammy] CVE-2023-20569 - AMD SRSO

Roxana Nicolescu roxana.nicolescu at canonical.com
Fri Sep 1 08:19:26 UTC 2023 

On 01/09/2023 03:39, Thadeu Lima de Souza Cascardo wrote:
> The following changes since commit 8e01c63c8de30a27a4f87e4f86e69403aaf6aa5b:
>
>    e1000e: Use PME poll to circumvent unreliable ACPI wake (2023-08-31 11:16:50 +0200)
>
> are available in the Git repository at:
>
>    git+ssh://cascardo@git.launchpad.net/~cascardo/ubuntu/+source/linux/+git/jammy srso+master
>
> for you to fetch changes up to 785e38eb6f4343afe59aea187d0a782251c3a9f2:
>
>    Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation (2023-08-31 22:28:42 -0300)
>
> ----------------------------------------------------------------
>
> [Impact]
>   A side channel vulnerability on some of the AMD CPUs may allow an attacker
>   to influence the return address prediction. This may result in speculative
>   execution at an attacker-controlled address, potentially leading to
>   information disclosure.
>
> [Backport]
> Patches have been backported from 5.15.y upstream stable. Minor conflicts
> around previous backports of GDS and DIV0 had to be handled.
>
> Backports for 6.1 and 6.2 are on their way.
>
> [Tests]
> Tests were run on an AWS Zen1 instance with no IBRS or IBPB. Mitigation
> options were toggled and vulnerabilities mitigations reports were as
> expected.
>
> An Intel VM was booted with spectre_v2=retpoline.
>
> An AMD Zen3 metal instance was tested as well with an SVM guest booted on top
> of it with the same kernel. spec_rstack_overflow report was as expected.
>
> [Potential regression]
> This could cause boot problems and also cause some CPU vulnerabilties
> mitigations, specially Retbleed, to regress.
>
>
> ----------------------------------------------------------------
> Borislav Petkov (AMD) (9):
>        x86/srso: Add a Speculative RAS Overflow mitigation
>        x86/srso: Add IBPB_BRTYPE support
>        x86/srso: Add SRSO_NO support
>        x86/srso: Add IBPB
>        x86/srso: Add IBPB on VMEXIT
>        x86/srso: Tie SBPB bit setting to microcode patch detection
>        x86/srso: Explain the untraining sequences a bit more
>        x86/srso: Disable the mitigation on unaffected configurations
>        x86/srso: Correct the mitigation status when SMT is disabled
>
> Greg Kroah-Hartman (1):
>        x86: fix backwards merge of GDS/SRSO bit
>
> Josh Poimboeuf (2):
>        x86/srso: Fix return thunks in generated code
>        objtool: Add frame-pointer-specific function ignore
>
> Kim Phillips (1):
>        x86/cpu, kvm: Add support for CPUID_80000021_EAX
>
> Nick Desaulniers (1):
>        x86/srso: Fix build breakage with the LLVM linker
>
> Peter Zijlstra (11):
>        x86/cpu: Fix __x86_return_thunk symbol type
>        x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
>        x86/alternative: Make custom return thunk unconditional
>        x86/ibt: Add ANNOTATE_NOENDBR
>        x86/cpu: Clean up SRSO return thunk mess
>        x86/cpu: Rename original retbleed methods
>        x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
>        x86/cpu: Cleanup the untrain mess
>        x86/static_call: Fix __static_call_fixup()
>        objtool/x86: Fixup frame-pointer vs rethunk
>        objtool/x86: Fix SRSO mess
>
> Petr Pavlu (1):
>        x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
>
> Sean Christopherson (1):
>        x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
>
> Thadeu Lima de Souza Cascardo (1):
>        Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation
>
>   Documentation/admin-guide/hw-vuln/index.rst     |   1 +
>   Documentation/admin-guide/hw-vuln/srso.rst      | 133 ++++++++++++++++
>   Documentation/admin-guide/kernel-parameters.txt |  11 ++
>   arch/x86/Kconfig                                |   7 +
>   arch/x86/include/asm/cpufeature.h               |   7 +-
>   arch/x86/include/asm/cpufeatures.h              |  11 +-
>   arch/x86/include/asm/disabled-features.h        |   3 +-
>   arch/x86/include/asm/msr-index.h                |   1 +
>   arch/x86/include/asm/nospec-branch.h            |  34 ++--
>   arch/x86/include/asm/processor.h                |   2 +
>   arch/x86/include/asm/required-features.h        |   3 +-
>   arch/x86/kernel/cpu/amd.c                       |  19 +++
>   arch/x86/kernel/cpu/bugs.c                      | 197 ++++++++++++++++++++++++
>   arch/x86/kernel/cpu/common.c                    |  15 +-
>   arch/x86/kernel/static_call.c                   |  13 ++
>   arch/x86/kernel/vmlinux.lds.S                   |  38 ++++-
>   arch/x86/kvm/cpuid.c                            |   3 +
>   arch/x86/kvm/reverse_cpuid.h                    |   1 +
>   arch/x86/kvm/svm/svm.c                          |   4 +-
>   arch/x86/kvm/svm/vmenter.S                      |   3 +
>   arch/x86/lib/retpoline.S                        | 158 +++++++++++++++++--
>   debian.master/config/annotations                |   1 +
>   drivers/base/cpu.c                              |   8 +
>   include/linux/cpu.h                             |   2 +
>   include/linux/objtool.h                         |  28 ++++
>   tools/include/linux/objtool.h                   |  28 ++++
>   tools/objtool/arch/x86/decode.c                 |   6 +
>   tools/objtool/check.c                           |  43 ++++--
>   tools/objtool/include/objtool/arch.h            |   1 +
>   tools/objtool/include/objtool/elf.h             |   1 +
>   30 files changed, 738 insertions(+), 44 deletions(-)
>   create mode 100644 Documentation/admin-guide/hw-vuln/srso.rst
>
>
>
Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>

More information about the kernel-team mailing list