Linux Lands Safeguard For RISC-V Against Another Microarchitectural Attack Vector
([RISC-V] 5 Hours Ago
RISC-V Side Channel)
- Reference: 0001605410
- News link: https://www.phoronix.com/news/Linux-6.19-RISC-V-Side-Channel
- Source link:
Increasingly complex RISC-V cores aren't magically immune to the speculative execution / side-channel vulnerabilities that have rattled the x86_64 and ARM64 landscape for years. Following recent work on [1]Spectre V1 handling for RISC-V in the Linux kernel, merged this weekend for Linux 6.19-rc5 is another RISC-V attack vector safeguard.
A patch was merged on Saturday in time for today's Linux 6.19-rc5 release as another security improvement for RISC-V. The RISC-V architecture code in the Linux kernel is now sanitizing the system call table indexing under speculation, similar to how the code is already handled in the x86 and ARM space. Due to the system call number being a user-controlled value for indexing into the syscall table, special handling is needed to prevent speculative out-of-bounds access and possible data leakage via cache side channels.
Yesterday's RISC-V fixes [2]merge to Linux 6.19 Git commented:
"Notable changes include a fix to close one common microarchitectural attack vector for out-of-order cores.
...
Prevent branch predictor poisoning microarchitectural attacks that use the syscall index as a vector by using array_index_nospec() to clamp the index after the bounds check (as x86 and ARM64 already do)."
Look for this and the other fixes that landed this week in Linux 6.19-rc5 due out later today.
[1] https://www.phoronix.com/news/Spectre-V1-RISC-V-Patches
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=755bc1335e3b116b702205b72eb57b7b8aef2bb2
A patch was merged on Saturday in time for today's Linux 6.19-rc5 release as another security improvement for RISC-V. The RISC-V architecture code in the Linux kernel is now sanitizing the system call table indexing under speculation, similar to how the code is already handled in the x86 and ARM space. Due to the system call number being a user-controlled value for indexing into the syscall table, special handling is needed to prevent speculative out-of-bounds access and possible data leakage via cache side channels.
Yesterday's RISC-V fixes [2]merge to Linux 6.19 Git commented:
"Notable changes include a fix to close one common microarchitectural attack vector for out-of-order cores.
...
Prevent branch predictor poisoning microarchitectural attacks that use the syscall index as a vector by using array_index_nospec() to clamp the index after the bounds check (as x86 and ARM64 already do)."
Look for this and the other fixes that landed this week in Linux 6.19-rc5 due out later today.
[1] https://www.phoronix.com/news/Spectre-V1-RISC-V-Patches
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=755bc1335e3b116b702205b72eb57b7b8aef2bb2