git.ipfire.org Git - thirdparty/kernel/stable.git/commit

x86/vmscape: Enumerate VMSCAPE bug

Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream.

The VMSCAPE vulnerability may allow a guest to cause Branch Target
Injection (BTI) in userspace hypervisors.

Kernels (both host and guest) have existing defenses against direct BTI
attacks from guests. There are also inter-process BTI mitigations which
prevent processes from attacking each other. However, the threat in this
case is to a userspace hypervisor within the same process as the attacker.

Userspace hypervisors have access to their own sensitive data like disk
encryption keys and also typically have access to all guest data. This
means guest userspace may use the hypervisor as a confused deputy to attack
sensitive guest kernel data. There are no existing mitigations for these
attacks.

Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected
Intel and AMD CPUs.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	Thu, 14 Aug 2025 17:20:42 +0000 (10:20 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 11 Sep 2025 15:21:46 +0000 (17:21 +0200)
commit	7c62c442b6eb95d21bc4c5afc12fee721646ebe2
tree	4047da2c644d3cacb280691981ca621eef5180a0	tree \| snapshot
parent	4c6fbb4dba3fcdb81324dbd65083f2dc129d0a1a	commit \| diff

arch/x86/include/asm/cpufeatures.h		diff \| blob \| blame \| history
arch/x86/kernel/cpu/common.c		diff \| blob \| blame \| history