Linux kernel 6.2 userspace processes to enable mitigation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-04-20 |
Type : local |
Platform : linux
This exploit / vulnerability Linux kernel 6.2 userspace processes to enable mitigation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation
## Exploit Author: nu11secur1ty
## CVE ID: CVE-2023-1998
## Description
## Summary
The Linux kernel allows userspace processes to enable mitigations by
calling prctl with
[PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html)
which disables the speculation feature as well as by using seccomp. We
had noticed that on VMs of at least one major cloud provider, the
kernel still left the victim process exposed to attacks in some cases
even after enabling the spectre-BTI mitigation with prctl. The same
beahaviour can be observed on a bare-metal machine when forcing the
mitigation to IBRS on boot comand line.
This happened because when plain IBRS was enabled (not enhanced IBRS),
the kernel had some logic that determined that
[STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html)
was not needed. The IBRS bit implicitly protects against cross-thread
branch target injection. However, with legacy
[IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html),
the IBRS bit was cleared on returning to userspace, due to performance
reasons, which disabled the implicit STIBP and left userspace threads
vulnerable to cross-thread branch target injection against which STIBP
protects.
## Severity
Medium - The kernel failed to protect applications that attempted to
protect against Spectre v2 leaving them open to attack from other
processes running on the same physical core in another hyperthread.
## Vulnerable code
The Bug present on Kernel 6.2
(https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196)
implements an optimization that disables STIBP if the mitgation is
IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace
as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for
bare metal machines without eIBRS support also triggers the bug.
```c
/*
* If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
* STIBP is not required.
*/
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
!smt_possible ||
spectre_v2_in_ibrs_mode(spectre_v2_enabled))
return;
```
## Proof of Concept
The test consists of two processes. The attacker constantly poisons an
indirect call to speculatively redirect it to a target address. The
victim process measures the mispredict rate and tries to mitigate the
attack either by calling PRCTL or writing to the MSR directly using a
kernel module that exposes MSR read and write operations to userspace.