Security vulnerability: RETBLEED transient execution information leak side-channel attack (CVE-2022-29900 CVE-2022-29901)

This document (000020693) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products please review the SUSE CVE announcements:

- https://www.suse.com/security/cve/CVE-2022-29900
- https://www.suse.com/security/cve/CVE-2022-29901


Situation

Security researchers Johannes Wikner and Kaveh Razavi from ETH Zuerich have identified a new transient  execution information leak caused by "return" CPU instructions on Intel and AMD x86 systems.

In certain scenarios the return instructions turn to use the indirect branch predictor, which can be influenced by Branch Target Injection attacks aka Spectre-BTI.

This allows local attackers to execute code to leak sensitive data out of the kernel, same as other Spectre like vulnerabilities.

Affected CPUs:

- Intel Skylake and newer Intel x86 CPU generations
- AMD Bulldozer (family 0x15) up to Zen 3
- Arm CPUs that are also vulnerable to Spectre variant 2
 

Resolution

Various mitigation methods have been implemented and can be selected manually or are selected automatically.
  • IBPB (Indirect Branch Prediction Barrier) can be used to flush the indirect branch predictor. This has performance impact, but is the safest option.
  • On Intel Skylake the IBRS feature is used (Indirect Branch Restricted Speculation), which clears the branch history buffer from lower privileged entries.
 

Options:


- retbleed=off
Switches the RETBLEED mitigations off. Note that this is only possible for SUSE Linux Enterprise 15 SP4 and newer, on older SUSE systems the mitigation cannot be completely disabled.

- retbleed=auto
Will automatically select the retbleed mitigation. This is also included in the "mitigations=auto" setting.
Note that hyperthreads on some CPU architectures without STIBP and AMD Zen 1 are still affected.

- retbleed=auto,nosmt
Will automatically select the retbleed mitigation with SMT disabled. This is also included in the    "mitigations=auto,nosmt" setting.
This is only disabling hyperthreading support on systems without STIBP and AMD Zen 1 systems.P and AMD Zen 1 systems.

- retbleed=unret
Enables "untrained return thunks" mitigation method. This only works on AMD Zen 1 and Zen 2 systems. 
If this option is selected on a non-supported CPU, it will be reported in the sysfs variable.

- retbleed=unret,nosmt
Enables "untrained return thunks" mitigation method. This only works on AMD Zen 1 and Zen 2 systems. 
On Zen 1 systems hyperthreading is additionally disabled.
If this option is selected on a non-supported CPU, it will be reported in the sysfs variable.

- retbleed=ibpb
Issues a IBPB (Indirect Branch Prediction Barrier), flushing buffers for indirect branch prediction.
This has the highest performance impact, but is also safest.

- spectre_v2=ibrs
Enable Kernel IBRS mitigation (only needed on Intel Skylake platform).
Note that this is in the spectre_v2 space, as this spectrev2 mitigation is used also for RETBLEED.
 
- spectre_v2=off
This disables the expensive IBRS retbleed mitigation on Intel Skylake, if there are performance concerns.  Note that this leaves the system vulnerable to RETBLEED.

 

Status:

The status can be found in /sys/devices/system/cpu/vulnerabilities/retbleed:

"Not affected"
    The CPU is not affected by RETBLEED.

"Vulnerable"
    The CPU is vulnerable to RETBLEED, no mitigations are enabled.

"Vulnerable: untrained return thunk on non-Zen uarch"
    The CPU is vulnerable to RETBLEED, the mitigation "unret" was selected but it
     is not supported on the CPU.

"Mitigation: untrained return thunk; SMT disabled"
    AMD mitigation "untrained return thunk" enabled and hyperthreading disabled.

"Mitigation: untrained return thunk; SMT enabled with STIBP protection"
    AMD mitigation "untrained return thunk" enabled and STIBP protection for hyperthreading
    enabled.

"Mitigation: untrained return thunk; SMT vulnerable"
    AMD mitigation "untrained return thunk" enabled, on systems with hyperthreading
    still vulnerable for attackers on the same CPU core.

"Mitigation: IBPB"
    The IBPB (Indirect Branch Prediction Barrier) mitigation method is enabled.

"Mitigation: IBRS"
    Selected IBRS mitigation to mitigate RETBLEED. While for Spectre Variant 2 this
    mitigation originally was replaced by retpoline, it needs to be reenabled as
    a RETBLEED mitigation.

"Mitigation: Enhanced IBRS"
    Selected Enhanced IBRS mitigation instead of IBRS to lessen performance impact.

On Arm CPUs the mitigations for Spectre v2 are also mitigating RETBLEED.

Please note that unlike the upstream kernel, SUSE Linux Enterprise 15 SP3 and older code streams do not implement the "retbleed=off" kernel parameter. That means that the mitigation cannot be completely disabled.

rebleed=unret - the default one - and retbleed=ibpb - a more expensive mitigation alternative on AMD - are still supported like upstream.

In general, we strongly discourage disabling all HW-specific mitigations but if there is a need to disable the most expensive part of the Retbleed mitigation (IBRS) on Skylake-based CPUs then this can be achieved by supplying spectre_v2=off on the kernel command line which also disables other Spectre v2 mitigations, including the retbleed one on affected Intel CPUs.

With that, only the "return thunks" are enabled unconditionally but according to our internal testing the overhead should be quite minimal at around 1%.

If you have a business case which cannot operate with that additional overhead and explicitly avoids all mitigations (by mitigations=off with all due consequences) then please open a support ticket or bug entry in the SUSE bugzilla.
 

Status

Security Alert

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020693
  • Creation Date: 25-Jul-2022
  • Modified Date:25-Jul-2022
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Linux Enterprise Micro
    • SUSE Linux Enterprise HPC

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center