Speculative Behavior of SWAPGS and Segment Registers / CVE-2019-1125

Published: 08/06/2019

Disclosure date: 
2019-08-06

Published date: 
2019-08-06

Severity rating: 
5.6 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database


Related Content

More Information on SWAPGS and Speculative only Segment Loads

Intel Analysis of the Speculative Behavior of SWAPGS and Segment Registers

List of processors potentially affected by the Speculative Behavior of SWAPGS and Segment Registers

Linux* kernel documentation

Microsoft security advisory

Overview

SWAPGS

The IA-32 architecture uses memory segmentation in the formation of physical memory addresses. Segment descriptors specify a base address (along with other attributes) for each segment, on which the rest of the physical address is built. Segment information is stored in a table in memory, and the individual segments are referenced by selectors that act as indices into this table. Many operating systems (OSes) use the GS segment register to reference application and kernel data that is specific to a thread or processor. In such cases, the operating system maintains both user space and kernel values of GS. The SWAPGS instruction is a privileged CPU instruction used to exchange the application and kernel values of GS. If operating systems that use SWAPGS to switch the contents of the GS register on kernel entry have code paths that conditionally determine whether or not to execute the instruction and then also contain memory references offset from the register, those OSes may be vulnerable to malicious actors who can cause the SWAPGS instruction to be speculatively executed or bypassed. The CVE assigned to this vulnerability is CVE-2019-1125 (5.6 Medium CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C).

Segment Registers

Refer to Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers for more information on the role of segment registers in this vulnerability.

Mitigation

OS and VMM Developers

After assessing this issue, industry partners determined that mitigations for this issue would be implemented by the operating system. Refer to Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers for more details, including example code. 

You can also find additional information in the Microsoft* security advisory for Windows* operating systems and the latest kernel.org documentation for Linux* operating systems.

System Administrators and Application Developers

Intel recommends that you always keep your systems up to date with the latest security updates and guidance from your OS and virtual machine monitor (VMM) vendors.

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.