Project:Security/Vulnerabilities/Spectre SWAPGS gadget vulnerability

From Gentoo Wiki
Jump to: navigation, search

Summary

Gentoo Linux has been made aware of an additional Spectre V1 like attack vector, requiring updates to the Linux kernel.

Spectre SWAPGS gadget vulnerability (CVE-2019-1125) allows an unprivileged local attacker to bypass conventional memory security restrictions to gain read access to privileged memory that would otherwise be inaccessible.

Resolution

There is no known complete mitigation other than updating the kernel and rebooting the system. This kernel patch builds on existing spectre mitigations.

Kernel updates

LTS branch Version with complete mitigation Recommended version (stabilization candidate)
4.4 >=sys-kernel/gentoo-sources-4.4.188 >=sys-kernel/gentoo-sources-4.4.189
4.9 >=sys-kernel/gentoo-sources-4.9.188 >=sys-kernel/gentoo-sources-4.9.189
4.14 >=sys-kernel/gentoo-sources-4.14.137 >=sys-kernel/gentoo-sources-4.14.138
4.19 >=sys-kernel/gentoo-sources-4.19.65 >=sys-kernel/gentoo-sources-4.19.66

Known performance impact

First tests with SWAPGS mitigation have shown to cause a performance impact. Benchmarks being worked on.

References