A vulnerability has been detected in the Linux 6.2 core, which can disable the protection of SPECTRE V2 class attacks, potentially allowing access to memory of other processes performed in different SMT or Hyper Threading flows but on one physical core of the processor. The issue is caused by incorrect implementation of optimizations designed to reduce significant overhead costs when applying protection against Spectre V2. The flaw was revealed by researchers, who noted that virtual machines were left without proper protection, and could result in data leakage when using cloud systems.
The vulnerability, which can be used for data leakage between virtual machines in cloud systems, affects only the Linux 6.2 core. However, it can also manifest itself on ordinary servers with a core of 6.2 when loading which Spectre_V2=IBRS is used.
To protect against Spectre class attacks, processes can selectively disconnect the speculative performance of instructions using the Prctl PR_SET_SPECULATION_CTRL or use the SECCOMP systemic calls based on the mechanism. Despite the inclusion of the Spectre-BTI blocking mode through PRCTL, the flaw left virtual machines without proper protection of at least one large cloud provider.
The vulnerability has been eliminated in the experimental branch of the Linux 6.3 core. According to reports, the optimization turned off the use of the Stibp mechanism when choosing IBRS or Eibrs protection modes, which is necessary for blocking leaks when using simultaneous multi-passage technology (SMT or Hyper-Threading). At the same time, the defense against leakage between the flows provides only the EIBRS mode but not the IBRS mode, since with it IBRS, which provides protection against leaks between logical nuclei, is cleaned with control of control to the user’s space. As a result, the flow in the user’s space is not protected against Spectre V2.
Users are advised to update to the latest version of the Linux 6.3 core to mitigate the risk of the vulnerability.