Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702

ID 737306
Updated 7/12/2022
Version Latest
Public

author-image

By

  

Disclosure date:
2022-07-12
Published date:
2022-07-12
Severity rating:
4.7 Medium
Industry-wide severity ratings can be found in the National Vulnerability Database

 


Aliases

  • Retbleed

Related Content

Overview

The Return Stack Buffer (RSB) is a fixed-size buffer that provides predictions for RET instructions. It can underflow in certain conditions. For example, RSB underflow may occur when a program is returning from a deep call stack due to executing more RETs than the number of entries in the RSB for that processor. As previously described in Retpoline: A Branch Target Injection Mitigation, some Intel processors may use alternate predictors to predict the target of RET instructions when the RSB has underflowed. This is also referred to as “Empty RSB” behavior.

On some Skylake-generation processors without eIBRS, researchers from ETH Zurich have demonstrated RSB underflow (RSBU) attacks against the Linux* kernel. This could cause a RET instruction in the kernel to predict a target chosen by user-mode software. This article considers potential usage of this technique by a guest against a VMM to also be “RSBU.” Although unaware of any demonstrated attacks that exploit RSB underflow at the time, Intel previously documented the theoretical possibility of Branch Target Injection (BTI) attacks based on exploiting RSB underflow due to deep call stacks on some Skylake-generation processors that do not support enhanced indirect branch restricted speculation (eIBRS). These attacks are mitigated by IBRS, but not by the retpoline software mitigation.

The same researchers also observed a previously undocumented RSB alternate prediction behavior on some Skylake-generation processors with eIBRS.  On these processors, the alternative prediction target are constrained to branch predictor entries within the current predictor domain. The Branch History Injection and Intra-mode Branch Target Injection technical article previously termed such behavior as Restricted RSB Alternate (RRSBA), and described techniques that could be used to influence the target of a RET instruction within the current domain.  

This article summarizes an update to Intel’s guidance for both of these classes of potential attacks. More details and updated guidance can be found in Retpoline: A Branch Target Injection Mitigation. Managed runtime developers should continue to follow the previous guidance Managed Runtime Speculative Execution Side Channel Mitigations.

Return Stack Buffer Underflow has been assigned CVE-2022-29901 with a CVSS base score of 4.7 (Medium) CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N and CVE-2022-28693 with a CVSS base score of 4.7 (Medium) CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N.

Mitigation

The situations where the RSB may become empty, and thus RSB underflow may be possible, are documented in the “Empty RSB Mitigation on Skylake-generation” section of Intel’s retpoline guidance. The transient execution resulting from such situations could potentially be used to perform Branch Target Injection, Branch History Injection (BHI), and intra-mode Branch Target Injection (IMBTI). This section provides updated guidance for mitigating such potential attacks on processors that use alternate predictors on underflowed RETs. The existing articles Branch Target Injection and BHI and IMBTI have also been updated to include the guidance provided in this section.

Guidance for RSBU

The Indirect Branch Restricted Speculation mechanism is a mitigation for Branch Target Injection which prevents software executed in a less privileged predictor mode from controlling the predicted targets of indirect branches (such as RETs) executed by software executed in a more privileged predictor mode. 

Enabling IBRS (including enhanced IBRS) will mitigate the “RSBU” attack demonstrated by the researchers. As previously documented, Intel recommends the use of enhanced IBRS, where supported. This includes any processor that enumerates RRSBA but not RRSBA_DIS_S.

Processors that enumerate support for RRSBA_DIS_S are not affected by the “RSBU” attack demonstrated by the researchers regardless of the setting of IBRS or RRSBA_DIS_S.

Some Skylake-generation processors exhibit RSBA behavior. On these processors, which do not support enhanced IBRS, operating system and hypervisor vendors should consider enabling IBRS after transition from less privileged domains. 

For processors with eIBRS, current guidance recommends ensuring IBRS is set after VM exit.

The “RSB stuffing” software sequence documented in Intel’s retpoline guidance can be used to reduce the likelihood of underflows on affected processors. An alternative mitigation for RSB underflow attacks relying on deep call stacks, such as “Retbleed,” is to apply “RSB stuffing” or set IBRS before RET instructions at risk of underflow due to deep call stacks. Intel is working with the Linux community to develop such a mitigation.

Updated Guidance for Branch History Injection and Intra-mode Branch Target Injection

Branch History Injection and intra-mode BTI attacks have more complex requirements, including the need for suitable disclosure gadgets to be present in the predictor entries used by the relevant predictor mode. At the time of writing, Intel is not aware of any proposed BHI attacks using RSB underflow behavior. Where such attacks are a concern, hardening techniques that clear registers before RET instructions (such as gcc’s -fzero-call-used-regs option) may be useful to provide defense-in-depth by preventing the use of some potential gadgets, even if such gadgets are present.

On Skylake-generation processors without support for enhanced IBRS, enabling IBRS is sufficient to mitigate BHI and intra-mode BTI attacks. On later processors, Intel recommends enabling eIBRS. As documented, this requires the VMM to set the IBRS bit of IA32_SPEC_CTRL if a guest has unset it.

On processors based on microarchitecture code name Alder Lake, Sapphire Rapids, and later processors that support the RRSBA_DIS_S indirect branch predictor control, RRSBA_DIS_S can be used to disable the use of alternate predictors on RSB underflow. As documented in the BHI guidance, where software is using retpoline as a mitigation for BHI or intra-mode BTI, Intel recommends using the RRSBA_DIS_S control. 

On processors where RRSBA_DIS controls are not available, Intel has updated the BHI guidance to provide a BHB-clearing software sequence that can be used at appropriate points, such as transitions from less privileged domains, to prevent a potential attacker from being able to influence the BHB.

Speculative Execution of Instructions after RET

On processors which demonstrate RSBA behavior1, which do not enumerate enhanced IBRS, RET execution with a target displacement more than 4 GB away may create an indirect branch predictor entry with a target containing the address of the instruction following a near RET. This means that alternate predictors may predict the address after the near RET for subsequent RET predictions with an empty RSB.

This is only relevant for Skylake-generation processors without eIBRS which exhibit RSBA behavior; and such alternate predictors are only used when RSB predictions are not available, such as for underflowed RETs. In such cases, following a RET with a speculation barrier, such as an INT3 instruction, will prevent further speculative execution in case of such a prediction.

Affected Processors

Refer to the consolidated Affected Processors table (2022 tab, RSBU (RSBA) CVE-2022-29901 and RSBU (RRSBA) CVE-2022-28693 columns) for a list of processors affected by these behaviors.

RSBA: RSB Alternate (RSBA) behavior allows alternate branch predictors to be used by near RET instructions when the RSB is empty, and the predicted targets of these alternate predictors are not limited to those of the current prediction domain. The guidance in the Guidance for RSBU section is relevant for processors with RSBA behavior. 

RRSBA: Restricted RSB Alternate (RRSBA) behavior allows alternate branch predictors to be used by near RET instructions when the RSB is empty. When eIBRS is enabled, the predicted targets of these alternate predictors are restricted to those belonging to the indirect branch predictor entries of the current prediction domain. Additionally, on parts that enumerate RRSBA_DIS_S, the above property holds even when eIBRS is not enabled. The guidance in the Updated Guidance for Branch History Injection and Intra-mode BTI section is relevant for processors with RRSBA behavior. 

Note: Intel plans to provide a microcode update for such processors which will have a new enumeration2 for RRSBA.

Footnotes

  1. RSBA behavior is enumerated through CPUID family/model information or IA32_ARCH_CAPABILITIES[RSBA]. See Retpoline: A Branch Target Injection Mitigation for details.
  2. For processors based on microarchitecture code name Alder Lake, a microcode update may be needed to be loaded for the processor to enumerate RRSBA, as well as to avoid other potential retpoline effectiveness issues.