SUSE Addresses Spectre Variant 4
Today, the Google Project Zero team disclosed an additional speculative execution method to obtain data that would otherwise be protected by the CPU.
Google, together with CPU, hardware and operating system vendors have worked over the past months to prepare mitigations for this vulnerability, known as Spectre v4.
The vulnerability is similar to others in the Spectre family, yet has distinct characteristics that make it a unique attack vector. x86 CPU’s from both Intel and AMD, as well as several ARM and PowerPC CPU’s are affected.
The potential attack takes advantage of a performance feature of modern CPU’s called memory disambiguation. Memory disambiguation allows dispatching memory reads and writes to independent units speculatively, avoiding waiting for completion and thus boosting performance. As a result of this behavior, however, there are cases where speculative memory reads can see stale values of memory. Any such stale read is discarded at the end of the speculative execution and under normal conditions doesn’t cause any issues.
However, since the previous Spectre variants have shown how to carry over information from speculative execution using a cache side channel, the stale data effect of memory disambiguation can be used to obtain data that would be otherwise inaccessible.
The mitigation code developed for the Linux kernel allows disabling the processor’s memory disambiguation capability, either selectively per-process, or globally for the whole running system.
The just released SUSE Linux kernel updates disable memory disambiguation for eBPF execution, for any process making use of SECCOMP (browsers) and provide an opt-in capability to additionally disable it for individual processes that might be running untrusted code generated by a JIT. There is also a system-wide option to disable memory disambiguation globally.
Given that a kernel and hypervisor update is needed, installing the updated packages and rebooting the system is required to obtain the mitigation. In addition to that, on Intel CPU’s a microcode update is required for the mitigation to work.
CPU Microcode availability and release schedules can be checked at Intel’s website or via your hardware vendor. SUSE will also re-publish official microcode updates. For AMD x86 and Power, no CPU microcode updates are required. For ARM, kernel and Microcode updates will be published in future update rounds.
CVE page link: https://www.suse.com/security/cve/CVE-2018-3639/
SUSE Addresses Meltdown and Spectre Vulnerabilities blog: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
SUSE wishes to thank the CPU and hardware vendors and the Linux kernel community for their collaboration in mitigating this issue in such a timely fashion for the good of customers and the industry.