Описание
ELSA-2025-20560: Unbreakable Enterprise kernel security update (IMPORTANT)
[5.4.17-2136.347.6.1]
- x86/vmscape: Warn when STIBP is disabled with SMT (Pawan Gupta) [Orabug: 38343661]
- x86/bugs: Move cpu_bugs_smt_update() down (Pawan Gupta) [Orabug: 38343661]
- x86/vmscape: Enable the mitigation (Pawan Gupta) [Orabug: 38343661]
- x86/vmscape: Add conditional IBPB mitigation (Pawan Gupta) [Orabug: 38343661]
- x86/vmscape: Add old Intel CPUs to affected list (Pawan Gupta) [Orabug: 38343661]
- x86/vmscape: Enumerate VMSCAPE bug (Pawan Gupta) [Orabug: 38343661]
- Documentation/hw-vuln: Add VMSCAPE documentation (Pawan Gupta) [Orabug: 38343661]
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
kernel-uek
5.4.17-2136.347.6.1.el8uek
kernel-uek-debug
5.4.17-2136.347.6.1.el8uek
kernel-uek-debug-devel
5.4.17-2136.347.6.1.el8uek
kernel-uek-devel
5.4.17-2136.347.6.1.el8uek
kernel-uek-doc
5.4.17-2136.347.6.1.el8uek
Oracle Linux x86_64
kernel-uek
5.4.17-2136.347.6.1.el8uek
kernel-uek-container
5.4.17-2136.347.6.1.el8uek
kernel-uek-container-debug
5.4.17-2136.347.6.1.el8uek
kernel-uek-debug
5.4.17-2136.347.6.1.el8uek
kernel-uek-debug-devel
5.4.17-2136.347.6.1.el8uek
kernel-uek-devel
5.4.17-2136.347.6.1.el8uek
kernel-uek-doc
5.4.17-2136.347.6.1.el8uek
Oracle Linux 7
Oracle Linux x86_64
kernel-uek
5.4.17-2136.347.6.1.el7uek
kernel-uek-container
5.4.17-2136.347.6.1.el7uek
kernel-uek-container-debug
5.4.17-2136.347.6.1.el7uek
kernel-uek-debug
5.4.17-2136.347.6.1.el7uek
kernel-uek-debug-devel
5.4.17-2136.347.6.1.el7uek
kernel-uek-devel
5.4.17-2136.347.6.1.el7uek
kernel-uek-doc
5.4.17-2136.347.6.1.el7uek
kernel-uek-tools
5.4.17-2136.347.6.1.el7uek
Связанные CVE
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize ...
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize ...
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimiz
In the Linux kernel, the following vulnerability has been resolved: x ...