CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
9.0%
Mishandling of guest SSBD selection on AMD hardware The current logic to
set SSBD on AMD Family 17h and Hygon Family 18h processors requires that
the setting of SSBD is coordinated at a core level, as the setting is
shared between threads. Logic was introduced to keep track of how many
threads require SSBD active in order to coordinate it, such logic relies on
using a per-core counter of threads that have SSBD active. When running on
the mentioned hardware, it’s possible for a guest to under or overflow the
thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets
propagated to the helper that does the per-core active accounting.
Underflowing the counter causes the value to get saturated, and thus
attempts for guests running on the same core to set SSBD won’t have effect
because the hypervisor assumes it’s already active.
Author | Note |
---|---|
mdeslaur | hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary |