1.8 KiB
CVE-2024-56761
Description
In the Linux kernel, the following vulnerability has been resolved:x86/fred: Clear WFE in missing-ENDBRANCH #CPsAn indirect branch instruction sets the CPU indirect branch tracker(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays assertedacross the instruction boundary. When the decoder finds aninappropriate instruction while WFE is set ENDBR, the CPU raises a #CPfault.For the "kernel IBT no ENDBR" selftest where #CPs are deliberatelytriggered, the WFE state of the interrupted context needs to becleared to let execution continue. Otherwise when the CPU resumesfrom the instruction that just caused the previous #CP, anothermissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.This is not a problem with IDT because it doesn't preserve WFE andIRET doesn't set WFE. But FRED provides space on the entry stack(in an expanded CS area) to save and restore the WFE state, thus theWFE state is no longer clobbered, so software must clear it.Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the!ibt_fatal code path when execution is allowed to continue.Clobbering WFE in any other circumstance is a security-relevant bug.[ dhansen: changelog rewording ]
POC
Reference
No PoCs from references.