Linux kernel logic allowed Spectre attack on 'major cloud provider'

Kernel 6.2 ditched a useful defense against ghostly chip design flaw

The Spectre vulnerability that has haunted hardware and software makers since 2018 continues to defy efforts to bury it.

On Thursday, Eduardo (sirdarckcat) Vela Nava, from Google's product security response team, disclosed a Spectre-related flaw in version 6.2 of the Linux kernel.

The bug, designated medium severity, was initially reported to cloud service providers – those most likely to be affected – on December 31, 2022, and was patched in Linux on February 27, 2023.

"The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread," the vulnerability disclosure explains. The consequence of that attack is potential information exposure (e.g., leaked private keys) through this pernicous problem.

The moniker Spectre [PDF] describes a set of vulnerabilities that abuse speculative execution, a processor performance optimization in which potential instructions are executed in advance to save time.

It's timing, however, that animates Spectre. Spectre v2 – the variant implicated in this particular vulnerability – relies on timing side-channels to measure the misprediction rates of indirect branch prediction in order to infer the contents of protected memory. That's far from optimal in a cloud environment with shared hardware.

Shortly after The Register first reported on the scramble to fix the Meltdown and Spectre bugs, Intel published details about Indirect Branch Restricted Speculation (IBRS), a mechanism to restrict speculation of indirect branches, which tell processors to start executing instructions at a new location.

IBRS offers a defense against Spectre v2, which Intel calls Branch Target Injection. Branch Target Injection is a technique for training branch predictors to speculatively execute certain instructions in order to infer data in the processor cache using a timing side-channel.

IBRS comes in two flavors: basic (legacy) and enhanced. And it's the basic flavor that proved distasteful from a security standpoint.

The bug hunters who identified the issue found that Linux userspace processes to defend against Spectre v2 didn't work on VMs of "at least one major cloud provider."

As the disclosure describes it, under basic IBRS, the 6.2 kernel had logic that opted out of STIBP (Single Thread Indirect Branch Predictors), a defense against the sharing of branch prediction between logical processors on a core.

"The IBRS bit implicitly protects against cross-thread branch target injection," the bug report explains. "However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects."

The Register understands that the issue arose from a misunderstanding of enhanced IBRS, which does not need STIBP to protect itself against another thread (simultaneous multithreading attacks).

The fix removed basic IBRS from the spectre_v2_in_ibrs_mode() check, in order to keep STIBP on by default.

The ghostly flaw was identified by Rodrigo Rubira Branco (BSDaemon), when he was at Google, and José Luiz. KP Singh, part of Google's kernel team, who worked on the fix and coordinated with the Linux maintainers to resolve the issue.

®

More about

TIP US OFF

Send us news


Other stories you might like