Microsoft and Redhat have released advisories regarding a new variant of the Spectre
Variant 1 side-channel vulnerability that affects modern Intel CPUs which leverage speculative-execution. There is some reason to believe that it affects some AMD processors as well. But no firm information has been provided as of yet.
Identified as CVE-2019-1125, the vulnerability could allow unprivileged local attackers to access sensitive information stored in the operating system privileged kernel memory.
The vulnerability was discovered and privately reported to Intel by Andrei Vlad Lutas of Bitdefender 12 months ago. It resides in every CPU Intel has introduced since at least its Ivy Bridge line (2012) of processors and possibly earlier.
From Red Hat: The vulnerability dubbed Spectre affected microprocessors that performed branch prediction as a method of improving system performance when evaluating complex instruction paths run by the CPU. These processors would speculate on the most likely choice when presented with a series of choices. These choices could act on private data and bring this data into cache. A careful observer of access times could use the timing of these actions to infer the contents of the speculatively accessed memory by observing timing results (commonly referred to as a timing attack).
The x86 family of microprocessors implements a feature known as memory “segmentation” in which all memory addresses are formed from a segment base address, plus an offset within that segment. The architecture defines segment registers (CS, DS, SS, ES, FS, GS) that may be used in building a complete memory address, with some used implicitly by certain instructions.
The “FS” and “GS” registers can be used in 64-bit mode to provide an offset into memory ranges reserved for specific data. For example, Linux uses “GS” to store TLS (Thread Local Storage) pointers in userspace (user) applications, and to serve as an offset into per_cpu data for a given processor when in-kernel. The SWAPGS instruction is used on 64-bit entry into kernel code to swap the current user space value of “GS” with the value intended to be used during kernel operations.
This newly swapped “GS” value is used to perform accesses to kernel data, using the PER_CPU macros contained within the kernel. The “SWAPGS” instruction was added as part of the mechanism to transition from userspace to kernel space, which determines a convention to find kernel data such as kernel stack data.
The SWAPGS instruction is a primitive instruction and does not validate the correctness of the values it uses. There are cases where the system may enter kernel code but may not require the swap or may re-enter kernel mode when already running in kernel mode.
Due to these cases, there are checks within the kernel entry code where conditional branches test to determine if the swap is necessary. As a result, it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations. A typical Spectre-style side-channel analysis may be performed on the timing results by a suitably skilled attacker.
Microsoft has pushed a silent update for Windows 10 and Windows Server that mitigates this vulnerability in all CPUs that Intel has introduced since 2012. It is recommended that you update all Windows systems as soon as possible.
For Red Hat based systems a kernel update has been made available.
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Atomic Host
- Red Hat Enterprise MRG 2
- Red Hat OpenShift Online v3
- Red Hat Virtualization (RHV/RHV-H)
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform 4 (RHEL CoreOS)
The specific instruction of interest,
SWAPGS is only available on the x86-64 architecture, as such only x86-64 platform vendors (Intel and AMD) are known to be affected.