Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 857951

Summary: kernel: Retbleed: Arbitrary Speculative Code Execution with Return Instructions
Product: Gentoo Security Reporter: Alice Ferrazzi <alicef>
Component: KernelAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: dist-kernel, kernel, pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce114c866860
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 863458, 863467, 863647    
Bug Blocks: 858116    

Description Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2022-07-14 13:08:18 UTC 
"On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion)."
from: https://comsec.ethz.ch/research/microarch/retbleed/

mitigation patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce114c866860

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 03:31:52 UTC 
Rather confusing set of CVEs here.

Relevant oss-security thread: https://www.openwall.com/lists/oss-security/2022/07/12/5

The AMD vulnerabilities are AMD-issued CVE-2022-23816 and CVE-2022-23825, and the "Switzerland Government Common Vulnerability Program"-issued CVE-2022-29900.

CVE-2022-23816 (still unpublished) and CVE-2022-23825 together seem to refer to the same vulnerability tracked by CVE-2022-29900.

Seems like the kernel fix is not in a release yet.

Intel is using the Swiss CVE assignment of CVE-2022-29901.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 03:45:59 UTC 
From https://www.openwall.com/lists/oss-security/2022/07/12/2 (XSA-407):

Researchers at ETH Zurich have discovered Retbleed, allowing for
arbitrary speculative execution in a victim context.

For more details, see:
  https://comsec.ethz.ch/retbleed

ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
Intel.

Despite the similar preconditions, these are very different
microarchitectural behaviours between vendors.

On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion).

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

On Intel CPUs, Retbleed is not a new vulnerability; it is only
applicable to software which did not follow Intel's original Spectre-v2
guidance.  Intel are using the ETH Zurich allocated CVE-2022-29901.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

ARM have indicated existing guidance on Spectre-v2 is sufficient."
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 23:38:09 UTC 
5.19 is out with fixes in mainline. Doesn't seem like anything's made it down to stable yet.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-03 16:26:34 UTC 
Seems like fixes are in:

5.10.135 5.15.59 5.18.16