Jon Masters keeps up with all the latest happenings in the Linux kernel, so you don’t have to.
Linus Torvalds announced the fourth RC (Release Candidate) for what will become Linux 6.9 in another few weeks. In his announcement, he noted that there was “Nothing particularly unusual going on this week – some new hardware mitigations may stand out, but after a decade of this I can’t really call it ‘unusual’ anymore, can I?” This was in relation to yet another speculative execution vulnerability that had been mitigated, called Native Branch History Injection.
The original BHI was disclosed by researchers at VUSec back in March 2022. It exploits a CPU’s branch predictor logic (in particular, the history of previous branches, known as the BHB or Branch History Buffer) by effectively creating a phantom history that can be used to mistrain future predictions and cause the CPU to perform (measurable and attacker-controlled) accesses that can be used to reconstruct sensitive data. At the time it was felt that finding the necessary ‘gadgets’ (exploitable code) within the kernel was sufficiently hard that the mitigation was to disable unprivileged eBPF, so that an attacker couldn’t simply load the code they needed into the kernel for an attack. In the latest attack, a tool was created to find alternative gadgets within existing kernel code that are exploitable. The fix is to bring x86 in line with other architectures by zeroing the BHB when crossing privilege levels.
Fallout is fun
On 29th March, Andres Freund, a developer working at Microsoft, announced that he had – through sheer luck and aptitude for troubleshooting performance issues on his systems – found a back door subtly hidden in the upstream XZ Utils, a popular compression library used on many FLOSS systems. The actual attack is now well documented, relying on a subtle compromise to build artefacts not directly part of the source, but widely used to build distro packages. The new result being that the attacker(s) are able to compromise SSH connections on
