The Grsecurity project has published details and a demonstration of the attack method for a new vulnerability (CVE-2021-26341) in AMD processors related to speculative execution of instructions after unconditional forward operations. If the attack is successful, the vulnerability allows the contents of arbitrary memory areas to be determined. For example, researchers have prepared an exploit that allows them to determine the address layout and bypass the KASLR (kernel memory randomization) protection mechanism by executing unprivileged code in the ePBF kernel subsystem. Other attack scenarios cannot be ruled out that could lead to a leak of kernel memory contents.
The vulnerability allows you to create conditions under which the processor, during preemptive execution, speculatively processes the instruction immediately following the jump instruction in memory (SLS, Straight Line Speculation). Moreover, such optimization works not only for conditional jump operators, but also for instructions that imply direct unconditional jump, such as JMP, RET and CALL. Following unconditional jump instructions, arbitrary data that is not intended for execution can be placed. After determining that a branch does not involve execution of the next instruction, the processor simply rolls back the state and ignores speculative execution, but the trace of instruction execution remains in the shared cache and is available for analysis using side-channel retrieval techniques.
As with the exploitation of the Specter-v1 vulnerability, the attack requires the presence of certain sequences of instructions (gadgets) in the kernel that lead to speculative execution. Blocking a vulnerability in this case comes down to identifying such gadgets in the code and adding additional instructions to them that block speculative execution. Conditions for speculative execution can also be created by unprivileged programs running in the eBPF virtual machine. To block the ability to construct gadgets using eBPF, it is recommended to disable unprivileged access to eBPF in the system (βsysctl -w kernel.unprivileged_bpf_disabled=1β).
The vulnerability affects processors based on the Zen1 and Zen2 microarchitecture, including the first and second generations of AMD EPYC and AMD Ryzen Threadripper processors, as well as AMD Ryzen 2000/3000/4000/5000, AMD Athlon, AMD Athlon X, AMD Ryzen Threadripper PRO and APU series processors A. To block speculative execution of instructions, it is recommended to call INT3 or LFENCE instructions after branch operations (RET, JMP, CALL).
Source: opennet.ru