ACK/Cmnt: [SRU][P/N/J][PATCH 0/3] VMSCAPE CVE-2025-40300 (LP: #2124105)
Jacob Martin
jacob.martin at canonical.com
Thu Sep 18 17:37:18 UTC 2025
On 9/17/25 7:22 AM, Massimiliano Pellizzer wrote:
> BugLink: https://bugs.launchpad.net/bugs/2124105
>
> [ Impact ]
>
> VMSCAPE is a vulnerability, affecting a broad range of amd64 CPUs,
> that may allow a guest to influence the branch prediction in host userspace.
> It particularly affects hypervisors like QEMU.
>
> Even if a hypervisor may not have any sensitive data like disk encryption keys,
> guest-userspace may be able to attack the guest-kernel using the hypervisor
> as a confused deputy.
>
> [ Fix ]
>
> Backport the following patchset to all affected series:
> - 9969779d0803 Documentation/hw-vuln: Add VMSCAPE documentation
> - a508cec6e521 x86/vmscape: Enumerate VMSCAPE bug
> - 2f8f173413f1 x86/vmscape: Add conditional IBPB mitigation
> - 556c1ad666ad x86/vmscape: Enable the mitigation
> - 6449f5baf9c7 x86/bugs: Move cpu_bugs_smt_update() down
> - b7cc98872315 x86/vmscape: Warn when STIBP is disabled with SMT
> - 8a68d64bb103 x86/vmscape: Add old Intel CPUs to affected list
>
> [ Test Plan ]
>
> Boot the kernel on a system having a vulnerable CPU.
> Fine tune the PoC (https://github.com/comsec-group/vmscape/tree/main/vmscape)
> considering the CPU on which the kernel is running.
> Run the PoC and make sure that it fails.
>
> [ Regression Potential ]
>
> The regression potential is moderate, since the patches add conditional
> IBPB flushing on VMEXIT for the CPUs affected by the vulnerability.
> Any issue would be limited to measurable performance regressions for
> VM heavy workload that trigger frequent VMEXITs (due to IBPB overhead).
>
For all 3 patch series, the "UBUNTU: [Config] Enable MITIGATION_VMSCAPE
config" change should probably be tagged with the CVE number in the
commit message.
Otherwise, LGTM!
Acked-by: Jacob Martin <jacob.martin at canonical.com>
More information about the kernel-team
mailing list