Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst - linux - Git at Google


 .. SPDX-License-Identifier: GPL-2.0

 Cross-Thread Return Address Predictions
 =======================================

 Certain AMD and Hygon processors are subject to a cross-thread return address
 predictions vulnerability. When running in SMT mode and one sibling thread
 transitions out of C0 state, the other sibling thread could use return target
 predictions from the sibling thread that transitioned out of C0.

 The Spectre v2 mitigations protect the Linux kernel, as it fills the return
 address prediction entries with safe targets when context switching to the idle
 thread. However, KVM does allow a VMM to prevent exiting guest mode when
 transitioning out of C0. This could result in a guest-controlled return target
 being consumed by the sibling thread.

 Affected processors
 -------------------

 The following CPUs are vulnerable:

     - AMD Family 17h processors
     - Hygon Family 18h processors

 Related CVEs
 ------------

 The following CVE entry is related to this issue:

    ==============  =======================================
    CVE-2022-27672  Cross-Thread Return Address Predictions
    ==============  =======================================

 Problem
 -------

 Affected SMT-capable processors support 1T and 2T modes of execution when SMT
 is enabled. In 2T mode, both threads in a core are executing code. For the
 processor core to enter 1T mode, it is required that one of the threads
 requests to transition out of the C0 state. This can be communicated with the
 HLT instruction or with an MWAIT instruction that requests non-C0.
 When the thread re-enters the C0 state, the processor transitions back
 to 2T mode, assuming the other thread is also still in C0 state.

 In affected processors, the return address predictor (RAP) is partitioned
 depending on the SMT mode. For instance, in 2T mode each thread uses a private
 16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon
 transition between 1T/2T mode, the RAP contents are not modified but the RAP
 pointers (which control the next return target to use for predictions) may
 change. This behavior may result in return targets from one SMT thread being
 used by RET predictions in the sibling thread following a 1T/2T switch. In
 particular, a RET instruction executed immediately after a transition to 1T may
 use a return target from the thread that just became idle. In theory, this
 could lead to information disclosure if the return targets used do not come
 from trustworthy code.

 Attack scenarios
 ----------------

 An attack can be mounted on affected processors by performing a series of CALL
 instructions with targeted return locations and then transitioning out of C0
 state.

 Mitigation mechanism
 --------------------

 Before entering idle state, the kernel context switches to the idle thread. The
 context switch fills the RAP entries (referred to as the RSB in Linux) with safe
 targets by performing a sequence of CALL instructions.

 Prevent a guest VM from directly putting the processor into an idle state by
 intercepting HLT and MWAIT instructions.

 Both mitigations are required to fully address this issue.

 Mitigation control on the kernel command line
 ---------------------------------------------

 Use existing Spectre v2 mitigations that will fill the RSB on context switch.

 Mitigation control for KVM - module parameter
 ---------------------------------------------

 By default, the KVM hypervisor mitigates this issue by intercepting guest
 attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS
 capability to override those interceptions, but since this is not common, the
 mitigation that covers this path is not enabled by default.

 The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on
 using the boolean module parameter mitigate_smt_rsb, e.g. ``kvm.mitigate_smt_rsb=1``.

	.. SPDX-License-Identifier: GPL-2.0

	Cross-Thread Return Address Predictions
	=======================================

	Certain AMD and Hygon processors are subject to a cross-thread return address
	predictions vulnerability. When running in SMT mode and one sibling thread
	transitions out of C0 state, the other sibling thread could use return target
	predictions from the sibling thread that transitioned out of C0.

	The Spectre v2 mitigations protect the Linux kernel, as it fills the return
	address prediction entries with safe targets when context switching to the idle
	thread. However, KVM does allow a VMM to prevent exiting guest mode when
	transitioning out of C0. This could result in a guest-controlled return target
	being consumed by the sibling thread.

	Affected processors
	-------------------

	The following CPUs are vulnerable:

	- AMD Family 17h processors
	- Hygon Family 18h processors

	Related CVEs
	------------

	The following CVE entry is related to this issue:

	============== =======================================
	CVE-2022-27672 Cross-Thread Return Address Predictions
	============== =======================================

	Problem
	-------

	Affected SMT-capable processors support 1T and 2T modes of execution when SMT
	is enabled. In 2T mode, both threads in a core are executing code. For the
	processor core to enter 1T mode, it is required that one of the threads
	requests to transition out of the C0 state. This can be communicated with the
	HLT instruction or with an MWAIT instruction that requests non-C0.
	When the thread re-enters the C0 state, the processor transitions back
	to 2T mode, assuming the other thread is also still in C0 state.

	In affected processors, the return address predictor (RAP) is partitioned
	depending on the SMT mode. For instance, in 2T mode each thread uses a private
	16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon
	transition between 1T/2T mode, the RAP contents are not modified but the RAP
	pointers (which control the next return target to use for predictions) may
	change. This behavior may result in return targets from one SMT thread being
	used by RET predictions in the sibling thread following a 1T/2T switch. In
	particular, a RET instruction executed immediately after a transition to 1T may
	use a return target from the thread that just became idle. In theory, this
	could lead to information disclosure if the return targets used do not come
	from trustworthy code.

	Attack scenarios
	----------------

	An attack can be mounted on affected processors by performing a series of CALL
	instructions with targeted return locations and then transitioning out of C0
	state.

	Mitigation mechanism
	--------------------

	Before entering idle state, the kernel context switches to the idle thread. The
	context switch fills the RAP entries (referred to as the RSB in Linux) with safe
	targets by performing a sequence of CALL instructions.

	Prevent a guest VM from directly putting the processor into an idle state by
	intercepting HLT and MWAIT instructions.

	Both mitigations are required to fully address this issue.

	Mitigation control on the kernel command line
	---------------------------------------------

	Use existing Spectre v2 mitigations that will fill the RSB on context switch.

	Mitigation control for KVM - module parameter
	---------------------------------------------

	By default, the KVM hypervisor mitigates this issue by intercepting guest
	attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS
	capability to override those interceptions, but since this is not common, the
	mitigation that covers this path is not enabled by default.

	The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on
	using the boolean module parameter mitigate_smt_rsb, e.g. ``kvm.mitigate_smt_rsb=1``.