git.ipfire.org Git - thirdparty/kernel/stable.git/commit

x86/vmscape: Enumerate VMSCAPE bug

Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream.

The VMSCAPE vulnerability may allow a guest to cause Branch Target
Injection (BTI) in userspace hypervisors.

Kernels (both host and guest) have existing defenses against direct BTI
attacks from guests. There are also inter-process BTI mitigations which
prevent processes from attacking each other. However, the threat in this
case is to a userspace hypervisor within the same process as the attacker.

Userspace hypervisors have access to their own sensitive data like disk
encryption keys and also typically have access to all guest data. This
means guest userspace may use the hypervisor as a confused deputy to attack
sensitive guest kernel data. There are no existing mitigations for these
attacks.

Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected
Intel and AMD CPUs.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	Thu, 14 Aug 2025 17:20:42 +0000 (10:20 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 11 Sep 2025 15:19:15 +0000 (17:19 +0200)
commit	304d1fb275af2ec049e5381c92679d607d8dcc5e
tree	d1efe691e5a2b40f6db600d63a101ad03a1935e6	tree \| snapshot
parent	55ad07f8a22740fe49fa195f49f2dec30bcdb879	commit \| diff

arch/x86/include/asm/cpufeatures.h		diff \| blob \| blame \| history
arch/x86/kernel/cpu/common.c		diff \| blob \| blame \| history