CVE-2023-0045
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.
We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux Kernel | 9137bb27e60e < a664ec9158eeddd75121d39c9a0758016097fa96 | affected |
Weaknesses
- CWE-610: CWE-610 Externally Controlled Reference to a Resource in Another Sphere
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/tip/a664ec9158eeddd75121d39c9a0758016097fa96
- https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html
- https://security.netapp.com/advisory/ntap-20230714-0001/
- https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/tip/a664ec9158eeddd75121d39c9a0758016097fa96
- https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html
- https://security.netapp.com/advisory/ntap-20230714-0001/
- https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.