Speculative execution, variant 4: speculative store bypass

If you are using Linux-based virtualization (KVM), besides requiring updated kernel and Intel microcode (which is not yet available), you would also need updates for relevant layers: QEMU and libvirt. Patches are posted[1][2].<p>Virtual Machines now need to be exposed a new Intel CPU feature flag: &#x27;ssbd&#x27; (Speculative Store Bypass Disable).<p>On microcode, from Red Hat&#x27;s blog post[3]:<p><i>In many (but not all) cases, full mitigation will also require updated microcode from the system microprocessor vendor. Red Hat intends to ship updated microcode as a convenience to our customers as it is made available to us. In the interim, customers are strongly advised to contact their OEM, ODM, or system manufacturer to receive this via a system BIOS update.</i><p>[1] <a href="https:&#x2F;&#x2F;www.redhat.com&#x2F;archives&#x2F;libvir-list&#x2F;2018-May&#x2F;msg01560.html" rel="nofollow">https:&#x2F;&#x2F;www.redhat.com&#x2F;archives&#x2F;libvir-list&#x2F;2018-May&#x2F;msg0156...</a><p>[2] <a href="https:&#x2F;&#x2F;lists.gnu.org&#x2F;archive&#x2F;html&#x2F;qemu-devel&#x2F;2018-05&#x2F;msg04795.html" rel="nofollow">https:&#x2F;&#x2F;lists.gnu.org&#x2F;archive&#x2F;html&#x2F;qemu-devel&#x2F;2018-05&#x2F;msg047...</a><p>[3] <a href="https:&#x2F;&#x2F;www.redhat.com&#x2F;en&#x2F;blog&#x2F;speculative-store-bypass-explained-what-it-how-it-works" rel="nofollow">https:&#x2F;&#x2F;www.redhat.com&#x2F;en&#x2F;blog&#x2F;speculative-store-bypass-expl...</a>

AMD guidance:<p><a href="https:&#x2F;&#x2F;developer.amd.com&#x2F;wp-content&#x2F;resources&#x2F;124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf" rel="nofollow">https:&#x2F;&#x2F;developer.amd.com&#x2F;wp-content&#x2F;resources&#x2F;124441_AMD64_...</a><p>(setting an CPU-specific MSR and it&#x27;s done for current CPUs, no microcode updates required.)<p><a href="https:&#x2F;&#x2F;www.amd.com&#x2F;en&#x2F;corporate&#x2F;security-updates" rel="nofollow">https:&#x2F;&#x2F;www.amd.com&#x2F;en&#x2F;corporate&#x2F;security-updates</a> has : &quot;We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.&quot;

These are the links I found most explanatory<p><a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=1528" rel="nofollow">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=15...</a><p><a href="https:&#x2F;&#x2F;software.intel.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;managed&#x2F;b9&#x2F;f9&#x2F;336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf" rel="nofollow">https:&#x2F;&#x2F;software.intel.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;managed&#x2F;b9&#x2F;f9...</a><p><a href="https:&#x2F;&#x2F;software.intel.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;managed&#x2F;c5&#x2F;63&#x2F;336996-Speculative-Execution-Side-Channel-Mitigations.pdf" rel="nofollow">https:&#x2F;&#x2F;software.intel.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;managed&#x2F;c5&#x2F;63...</a><p><a href="https:&#x2F;&#x2F;blogs.technet.microsoft.com&#x2F;srd&#x2F;2018&#x2F;05&#x2F;21&#x2F;analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blogs.technet.microsoft.com&#x2F;srd&#x2F;2018&#x2F;05&#x2F;21&#x2F;analysis-...</a><p><a href="https:&#x2F;&#x2F;developer.amd.com&#x2F;wp-content&#x2F;resources&#x2F;124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf" rel="nofollow">https:&#x2F;&#x2F;developer.amd.com&#x2F;wp-content&#x2F;resources&#x2F;124441_AMD64_...</a><p><a href="https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advisory&#x2F;intel-sa-00115.html" rel="nofollow">https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advi...</a> uCode update is only for variant 3a (MSR read) and for the global disable bit in the MSR. The standard mitigation is still LFENCE.<p><a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;cpp&#x2F;security&#x2F;developer-guidance-speculative-execution" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;cpp&#x2F;security&#x2F;developer-guid...</a> vulnerable code examples

Explained: <a href="https:&#x2F;&#x2F;www.redhat.com&#x2F;en&#x2F;blog&#x2F;speculative-store-bypass-explained-what-it-how-it-works" rel="nofollow">https:&#x2F;&#x2F;www.redhat.com&#x2F;en&#x2F;blog&#x2F;speculative-store-bypass-expl...</a>

A commenter over at arstechnica (<a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2018&#x2F;05&#x2F;new-speculative-execution-vulnerability-strikes-amd-arm-and-intel&#x2F;?comments=1&amp;post=35370251" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2018&#x2F;05&#x2F;new-speculative-exec...</a>) found an old article explaining the optimization which led to this vulnerability: &quot;Faster Load Times - Intel Core versus AMD&#x27;s K8 architecture&quot; <a href="https:&#x2F;&#x2F;www.anandtech.com&#x2F;show&#x2F;1998&#x2F;5" rel="nofollow">https:&#x2F;&#x2F;www.anandtech.com&#x2F;show&#x2F;1998&#x2F;5</a>

Additional vendor info:<p><a href="https:&#x2F;&#x2F;developer.arm.com&#x2F;support&#x2F;arm-security-updates&#x2F;speculative-processor-vulnerability" rel="nofollow">https:&#x2F;&#x2F;developer.arm.com&#x2F;support&#x2F;arm-security-updates&#x2F;specu...</a><p><a href="https:&#x2F;&#x2F;blogs.technet.microsoft.com&#x2F;srd&#x2F;2018&#x2F;05&#x2F;21&#x2F;analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blogs.technet.microsoft.com&#x2F;srd&#x2F;2018&#x2F;05&#x2F;21&#x2F;analysis-...</a><p><a href="https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advisory&#x2F;intel-sa-00115.html" rel="nofollow">https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advi...</a>

Possibly completely unrelated question (this stuff is firmly over my head): toward the end of the first PoC there&#x27;s<p><pre><code> &#x2F;* if we don&#x27;t break the loop after some time when it doesn&#x27;t work, in NO_INTERRUPTS mode with SMP disabled, the machine will lock up *&#x2F; </code></pre> The bit at the top of the that says<p><pre><code> ======== Demo code (no privilege boundaries crossed) ======== </code></pre> is suggestive and unambiguous, but the program executions show (with &quot;$&quot;s) that this is being executed as non-root.<p>So... is this deadlock fundamentally related to the speculative execution glitch(es)?

The MS advisory: <a href="https:&#x2F;&#x2F;portal.msrc.microsoft.com&#x2F;en-US&#x2F;security-guidance&#x2F;advisory&#x2F;ADV180012" rel="nofollow">https:&#x2F;&#x2F;portal.msrc.microsoft.com&#x2F;en-US&#x2F;security-guidance&#x2F;ad...</a>