APPLIED: [SRU][P/N/J][PATCH 0/3] VMSCAPE CVE-2025-40300 (LP: #2124105)
Edoardo Canepa
edoardo.canepa at canonical.com
Fri Oct 10 16:46:26 UTC 2025
Applied to [P/N/J]/master-next. Thanks.
On 9/17/25 14:22, Massimiliano Pellizzer wrote:
> BugLink: https://bugs.launchpad.net/bugs/2124105
>
> [ Impact ]
>
> VMSCAPE is a vulnerability, affecting a broad range of amd64 CPUs,
> that may allow a guest to influence the branch prediction in host userspace.
> It particularly affects hypervisors like QEMU.
>
> Even if a hypervisor may not have any sensitive data like disk encryption keys,
> guest-userspace may be able to attack the guest-kernel using the hypervisor
> as a confused deputy.
>
> [ Fix ]
>
> Backport the following patchset to all affected series:
> - 9969779d0803 Documentation/hw-vuln: Add VMSCAPE documentation
> - a508cec6e521 x86/vmscape: Enumerate VMSCAPE bug
> - 2f8f173413f1 x86/vmscape: Add conditional IBPB mitigation
> - 556c1ad666ad x86/vmscape: Enable the mitigation
> - 6449f5baf9c7 x86/bugs: Move cpu_bugs_smt_update() down
> - b7cc98872315 x86/vmscape: Warn when STIBP is disabled with SMT
> - 8a68d64bb103 x86/vmscape: Add old Intel CPUs to affected list
>
> [ Test Plan ]
>
> Boot the kernel on a system having a vulnerable CPU.
> Fine tune the PoC (https://github.com/comsec-group/vmscape/tree/main/vmscape)
> considering the CPU on which the kernel is running.
> Run the PoC and make sure that it fails.
>
> [ Regression Potential ]
>
> The regression potential is moderate, since the patches add conditional
> IBPB flushing on VMEXIT for the CPUs affected by the vulnerability.
> Any issue would be limited to measurable performance regressions for
> VM heavy workload that trigger frequent VMEXITs (due to IBPB overhead).
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/1031880e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/1031880e/attachment-0001.sig>
More information about the kernel-team
mailing list