Today’s Spectre variant: branch history injection

Post Syndicated from original https://lwn.net/Articles/887326/

A few days prior to the expected 5.17 release, the mainline kernel has just
received a series of Spectre mitigations for the x86 and ARM architectures.
The vulnerability this time is called “branch history injection”; it has
been deemed CVE-2022-0001 and CVE-2022-0002. Some information can be found
in this
Intel disclosure, this
ARM advisory, and this VUSec page:

Branch History Injection (BHI or Spectre-BHB) is a new flavor of
Spectre-v2 in that it can circumvent eIBRS and CSV2 to simplify
cross-privilege mistraining. The hardware mitigations do prevent
the unprivileged attacker from injecting predictor entries for the
kernel. However, the predictor relies on a global history to select
the target entries to speculatively execute. And the attacker can
poison this history from userland to force the kernel to mispredict
to more “interesting” kernel targets (i.e., gadgets) that leak
data.

According to a
documentation patch merged into the mainline, the only known way to
exploit this problem is via unprivileged BPF.

Trending
Customize and Package Dependencies With Your Apache Spark Applications on Amazon EMR on Amazon EKS