Redhat : CVE-2019-1125: Spectre SWAPGS gadget vulnerability

Overview

Red Hat has been made aware of an additional spectre-V1 like attack vector, requiring updates to the Linux kernel. This additional attack vector builds on existing software fixes shipped in previous kernel updates. This vulnerability only applies to x86-64 systems using either Intel or AMD processors.

This issue has been assigned CVE-2019-1125 and is rated Moderate.

An unprivileged local attacker can use these flaws to bypass conventional memory security restrictions to gain read access to privileged memory that would otherwise be inaccessible.

Background

The vulnerability dubbed “Spectre” affected microprocessors that performed branch prediction as a method of improving system performance when evaluating complex instruction paths run by the CPU. These processors would speculate on the most likely choice when presented with a series of choices. These choices could act on private data and bring this data into cache. A careful observer of access times could use the timing of these actions to infer the contents of the speculatively accessed memory by observing timing results (commonly referred to as a timing attack).

The x86 family of microprocessors implements a feature known as memory “segmentation” in which all memory addresses are formed from a segment base address, plus an offset within that segment. The architecture defines segment registers (CS, DS, SS, ES, FS, GS) that may be used in building a complete memory address, with some used implicitly by certain instructions.

The “FS” and “GS” registers can be used in 64-bit mode to provide an offset into memory ranges reserved for specific data. For example, Linux uses “GS” to store TLS (Thread Local Storage) pointers in userspace (user) applications, and to serve as an offset into per_cpu data for a given processor when in-kernel. The “SWAPGS” instruction is used on 64-bit entry into kernel code to swap the current user space value of “GS” with the value intended to be used during kernel operations.

Read more on redhat.com