[Kernel-packages] [Bug 2060909] Re: Apply mitigations for the native BHI hardware vulnerabilty
This bug was fixed in the package linux - 6.8.0-28.28
---
linux (6.8.0-28.28) noble; urgency=medium
* noble/linux: 6.8.0-28.28 -proposed tracker (LP: #2061867)
* linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression iwth new apparmor
profiles/features (LP: #2061851)
- SAUCE: apparmor4.0.0 [92/90]: fix address mapping for recvfrom
-- Paolo Pisati Tue, 16 Apr 2024 18:29:17
+0200
** Changed in: linux (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2060909
Title:
Apply mitigations for the native BHI hardware vulnerabilty
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Noble:
Fix Released
Bug description:
[Impact]
Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch targets
in ring0.
The BHB can still influence the choice of indirect branch predictor
entry, and although branch predictor entries are isolated between
modes when eIBRS is enabled, the BHB itself is not isolated between
modes.
Previously the only known real-world BHB attack vector was via
unprivileged eBPF. Further research has found attacks that don't
require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot
option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall
entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system
calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
hardware control if it's available on the system CPUs, otherwise a
proper software sequence will be executed at VMexit.
NOTE: we may get these changes via stable update in 6.8, when that
happens we can drop this backport and apply the patch set like any
other regular stable update.
[Regression potential]
We may experience performance regressions with this new mitigation
enabled, especially in VMs and CPUs that don't have the BHI hardware
support capability (due to the extra software sequence executed at
VMexit).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2060909/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2060909] Re: Apply mitigations for the native BHI hardware vulnerabilty
** Description changed:
[Impact]
Branch History Injection (BHI) attacks may allow a malicious application
to influence indirect branch prediction in kernel by poisoning the
branch history. eIBRS isolates indirect branch targets in ring0.
The BHB can still influence the choice of indirect branch predictor
entry, and although branch predictor entries are isolated between modes
when eIBRS is enabled, the BHB itself is not isolated between modes.
Previously the only known real-world BHB attack vector was via
unprivileged eBPF. Further research has found attacks that don't require
unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot
option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall
entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system
calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
hardware control if it's available on the system CPUs, otherwise a
- proper software sequence will be deployed at VMexit.
+ proper software sequence will be executed at VMexit.
+
+ NOTE: we may get these changes via stable update in 6.8, when that
+ happens we can drop this backport and apply the patch set like any other
+ regular stable update.
[Regression potential]
We may experience performance regressions with this new mitigation
enabled, especially in VMs and CPUs that don't have the BHI hardware
support capability (due to the extra software sequence executed at
VMexit).
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2060909
Title:
Apply mitigations for the native BHI hardware vulnerabilty
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Noble:
Fix Committed
Bug description:
[Impact]
Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch targets
in ring0.
The BHB can still influence the choice of indirect branch predictor
entry, and although branch predictor entries are isolated between
modes when eIBRS is enabled, the BHB itself is not isolated between
modes.
Previously the only known real-world BHB attack vector was via
unprivileged eBPF. Further research has found attacks that don't
require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot
option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall
entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system
calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
hardware control if it's available on the system CPUs, otherwise a
proper software sequence will be executed at VMexit.
NOTE: we may get these changes via stable update in 6.8, when that
happens we can drop this backport and apply the patch set like any
other regular stable update.
[Regression potential]
We may experience performance regressions with this new mitigation
enabled, especially in VMs and CPUs that don't have the BHI hardware
support capability (due to the extra software sequence executed at
VMexit).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2060909/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help :
[Kernel-packages] [Bug 2060909] Re: Apply mitigations for the native BHI hardware vulnerabilty
** Summary changed:
- Backport mitigations for the native BHI hardware vulnerabilty
+ Apply mitigations for the native BHI hardware vulnerabilty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2060909
Title:
Apply mitigations for the native BHI hardware vulnerabilty
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Noble:
Fix Committed
Bug description:
[Impact]
Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch targets
in ring0.
The BHB can still influence the choice of indirect branch predictor
entry, and although branch predictor entries are isolated between
modes when eIBRS is enabled, the BHB itself is not isolated between
modes.
Previously the only known real-world BHB attack vector was via
unprivileged eBPF. Further research has found attacks that don't
require unprivileged eBPF.
See also:
https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
[Test case]
https://www.vusec.net/projects/native-bhi/
[Fix]
Backport from upstream the merge that introduces spectre_bhi= boot
option to control BHI mitigation:
2bb69f5fc721 ("Merge tag 'nativebhi' of
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
ed2e8d49b54d ("KVM: x86: Add BHI_NO")
95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall
entry")
1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system
calls")
0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
file")
Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
hardware control if it's available on the system CPUs, otherwise a
proper software sequence will be executed at VMexit.
NOTE: we may get these changes via stable update in 6.8, when that
happens we can drop this backport and apply the patch set like any
other regular stable update.
[Regression potential]
We may experience performance regressions with this new mitigation
enabled, especially in VMs and CPUs that don't have the BHI hardware
support capability (due to the extra software sequence executed at
VMexit).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2060909/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
