[SRU][P/N/J][PATCH 0/3] VMSCAPE CVE-2025-40300 (LP: #2124105)

[Massimiliano Pellizzer]

BugLink: https://bugs.launchpad.net/bugs/2124105

[ Impact ]

VMSCAPE is a vulnerability, affecting a broad range of amd64 CPUs,
that may allow a guest to influence the branch prediction in host userspace.
It particularly affects hypervisors like QEMU.

Even if a hypervisor may not have any sensitive data like disk encryption keys,
guest-userspace may be able to attack the guest-kernel using the hypervisor
as a confused deputy.

[ Fix ]

Backport the following patchset to all affected series:
- 9969779d0803 Documentation/hw-vuln: Add VMSCAPE documentation
- a508cec6e521 x86/vmscape: Enumerate VMSCAPE bug
- 2f8f173413f1 x86/vmscape: Add conditional IBPB mitigation
- 556c1ad666ad x86/vmscape: Enable the mitigation
- 6449f5baf9c7 x86/bugs: Move cpu_bugs_smt_update() down
- b7cc98872315 x86/vmscape: Warn when STIBP is disabled with SMT
- 8a68d64bb103 x86/vmscape: Add old Intel CPUs to affected list

[ Test Plan ]

Boot the kernel on a system having a vulnerable CPU.
Fine tune the PoC (https://github.com/comsec-group/vmscape/tree/main/vmscape)
considering the CPU on which the kernel is running.
Run the PoC and make sure that it fails.

[ Regression Potential ]

The regression potential is moderate, since the patches add conditional
IBPB flushing on VMEXIT for the CPUs affected by the vulnerability.
Any issue would be limited to measurable performance regressions for
VM heavy workload that trigger frequent VMEXITs (due to IBPB overhead).