GRSECURITY project Posted Details and Demonstration of the Attack method for the new Vulnerabilities ( CVE-2021 -26341 ) in AMD processors related to speculative execution of instructions after the unconditional direct transition operations. In the case of a successful attack, the vulnerability allows you to determine the content of arbitrary areas of memory. For example, researchers are prepared by an exploit that allows you to determine the layout of the addresses and bypass the KASLR protection mechanism (rejection of the nucleus memory) through the execution of an unprivileged code in the EPBF kernel subsystem. Other attack scenarios that can lead to the leakage of the kernel memory are leakage.
Vulnerability allows you to create conditions under which the processor during the proactive execution will speculately process the instruction as follows in memory immediately behind the transition command ( SLS , Straight Line Speculation). In this case, such optimization is triggered not only for conditional transition operators, but also for instructions implied direct unconditional transition, such as JMP, RET and Call. After the instructions of the unconditional transition can be placed including arbitrary data not intended for execution.
After determining that the transition does not imply the following instruction, the processor simply rolls back the state and does not take into account speculative execution, but the following instruction remains in general cache and is available for analysis using exemption methods by third-party channels.
As well as during the operation of the Spectre-V1 vulnerability, the presence of certain sequences of instructions (gadgets) in the kernel, leading to speculative execution. The blocking of vulnerability is reduced to identifying such gadgets in the code and adding additional instructions in them blocking speculative execution. Conditions for speculative execution can also be created using unprivileged programs performed in the EBPF virtual machine. To block the ability to design the gadgets using EBPF, it is recommended to prohibit unprivileged access to EBPF in the system (“sysctl -w kernel.unprivileged_bpf_disabled = 1”).
Vulnerability affects the processors based on Zen1 and Zen2 microarchitecture, including the first and second generation of AMD EPYC and AMD Ryzen Threadripper processors, as well as AMD Ryzen 2000/3000/4000/5000 processors, AMD Athlon, AMD Athlon X, AMD Ryzen Threadripper Pro and APU series A. To block speculative execution of instructions Recommended Instructions INT3 or LFENCE After branching operations (RET, JMP, Call).