Retbleed and related return predictor microarchitectural flaws (CVE-2022-29901, CVE-2022-28693, CVE-2022-29900, CVE-2022-23825)
Johannes Wikner and Kaveh Razavi of ETH Zürich discovered multiple issues with speculative branch prediction of return calls.
On Skylake-generation Intel processors that do not support eIBRS (enhanced indirect branch restricted speculation), when the Return Stack Buffer underflowed, alternate predictors would be used, and retpoline is used as a mitigation in the Linux kernel to protect against this situation, but the researchers demonstrated that this was insufficient (CVE-2022-29901). The mitigation for this issue is to enable IBRS on these platforms.
The researchers also discovered that on some Skylake-generation with eIBRS, RSB underflow could result in alternate prediction targets within the current predictor domain, resulting in a way to perform Intra-mode Branch Target Injection (BTI) attacks. (CVE-2022-28693)
On AMD ZEN 1 and ZEN 2 processor families, the researchers found they were able to find branch-target collisions with return addresses. (CVE-2022-29900)
AMD internally discovered that on some processors, the branch predictor is used to predict the type and target of branch instructions, and later determines if the prediction was accurate, resulting in a small window of speculation at the predicted branch target even if the branch type does not match. This is a result of aliasing in the branch predictor, and could result in the predictor predicting an indirect branch at a specific location while the actual instruction is not a branch at all. (CVE-2022-23825)
Due to the complex nature and the variety of mitigations needed for these issues, Ubuntu kernel updates are currently in progress.
CVE-2022-29901: Return Stack Buffer (RSB) underflow on non-eIBRS Skylake-generation Intel processors
CVE-2022-28693: Restricted alternate predictors RSB underflow on Skylake-generation Intel processors with eIBRS
CVE-2022-29900: Branch predictor return mis-predictions through colliding branch targets on some AMD processors
CVE-2022-23825: Branch predictor type confusion due to aliasing on some AMD processors
- ETH Zürich COMSEC advisory
- ETH Zürich COMSEC USENIX Security Paper
- Intel advisory for CVE-2022-29901
- Intel advisory for CVE-2022-28693:
- AMD advisory:
- Intel Return Stack Buffer Underflow technical guidance (new):
- Intel Retpoline technical guidance (updated with Empty RSB Mitigation on Skylake-generation discussion):
- Intel table of affected processors:
- Intel blog post:
- AMD Technical Guidance for Mitigating Branch Type Confusion
- 2022 July 12: Public disclosure
Public Cloud Image updates
Amazon AWS: <IN PROGRESS>
Windows Azure: <IN PROGRESS>
Google Compute Engine: <IN PROGRESS>
Ubuntu Core Images: <IN PROGRESS>
Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.