Linux KVM Gets Patched For New AMD Cross-Thread Return Address Predictions Bug

CVE-2022-27672 is being made public today as the "Cross-Thread Return Address Predictions" bug affecting various AMD and Hygon processors. This vulnerability affects the SMT mode where one sibling thread transitions out of the C0 state and the other sibling thread could use return target predictions.

The good news is that the Linux kernel is already protected against the AMD Cross-Thread Return Address Predictions bug as part of its Spectre V2 mitigation. But the Linux Kernel-based Virtual Machine (KVM) for virtualization does require special handling now for this bug as otherwise could result in a VM guest-controlled return target being consumed by the sibling thread.

Patches were posted today to mitigate KVM for Linux 6.2, 6.1, and 5.15 LTS. Again, these kernel patches just affect KVM usage as using the standard Spectre V2 mitigations are good enough for just protecting the kernel itself. So for those not making use of KVM virtualization, there isn't much to be concerned about with today's CVE-2022-27672 disclosure.

KVM lead developer Paolo Bonzini of Red Hat wrote minutes ago on the kernel mailing list:

Certain AMD processors are vulnerable to a cross-thread return address predictions bug. When running in SMT mode and one of the sibling threads transitions out of C0 state, the other thread gets access to twice as many entries in the RSB, but unfortunately the predictions of the now-halted logical processor are not purged. Therefore, the executing processor could speculatively execute from locations that the ow-halted processor had trained the RSB on.

The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB when context switching to the idle thread. However, KVM allows a VMM to prevent exiting guest mode when transitioning out of C0 using the KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this behavior. To mitigate the cross-thread return address predictions bug, a VMM must not be allowed to override the default behavior to intercept C0 transitions.

These patches introduce a KVM module parameter that, if set, will prevent the user from disabling the HLT, MWAIT and CSTATE exits.

AMD's security bulletin notes this Cross-Thread Return Address Predictions bug affects 1st and 2nd Gen AMD EPYC server processors and Ryzen 5000 series and older. The latest Ryzen 7000 series or 3rd and 4th Gen EPYC are not affected. This bug affects AMD desktop CPUs back to the Athlon X4 series.

Within minutes of the patches being sent out, Linus Torvalds already merged them for the near-final Linux 6.2 state. As mentioned already, expect stable kernel updates out soon with these KVM patches.