A vulnerability has been identified in the Linux 6.2 kernel (CVE-2023-1998) that disables protection against Specter v2 attacks that allow access to the memory of other processes running on different SMT or Hyper Threading threads, but on the same physical processor core. The vulnerability, among other things, can be used to organize data leakage between virtual machines in cloud systems. The issue affects only the Linux 6.2 kernel and is caused by an incorrect implementation of optimizations designed to reduce the significant overhead when applying protection against Specter v2. The vulnerability was fixed in the experimental branch of the Linux 6.3 kernel.
In user space, to protect against Specter attacks, processes can selectively disable speculative instruction execution with prctl PR_SET_SPECULATION_CTRL or use seccomp-based system call filtering. According to the researchers who identified the problem, incorrect optimization in the 6.2 kernel left the virtual machines of at least one large cloud provider without proper protection, despite the inclusion of the spectre-BTI attack blocking mode via prctl. The vulnerability also manifests itself on regular servers with the 6.2 kernel, which are booted using the “spectre_v2=ibrs” setting.
The essence of the vulnerability is that when choosing IBRS or eIBRS protection modes, the optimizations made disabled the use of the STIBP (Single Thread Indirect Branch Predictors) mechanism, which is necessary to block leaks when using simultaneous multithreading technology (SMT or Hyper-Threading). At the same time, only the eIBRS mode provides protection against leakage between threads, but not the IBRS mode, since with it the IBRS bit, which provides protection against leaks between logical cores, is cleared for performance reasons when control returns to user space, which makes user space threads not protected from attacks of the Specter v2 class.
Source: opennet.ru