Commit f2ed886b authored Aug 14, 2025 by Pawan Gupta Committed by Greg Kroah-Hartman Sep 11, 2025

x86/vmscape: Enumerate VMSCAPE bug



commit a508cec6 upstream.

The VMSCAPE vulnerability may allow a guest to cause Branch Target
Injection (BTI) in userspace hypervisors.

Kernels (both host and guest) have existing defenses against direct BTI
attacks from guests. There are also inter-process BTI mitigations which
prevent processes from attacking each other. However, the threat in this
case is to a userspace hypervisor within the same process as the attacker.

Userspace hypervisors have access to their own sensitive data like disk
encryption keys and also typically have access to all guest data. This
means guest userspace may use the hypervisor as a confused deputy to attack
sensitive guest kernel data. There are no existing mitigations for these
attacks.

Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected
Intel and AMD CPUs.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
[Amit:
 * Drop unsupported Intel families: ARROWLAKE, METEORLAKE,
   ATOM_CRESTMONT_X; and unlisted ATOM types for RAPTORLAKE and
   ALDERLAKE
 * s/ATOM_GRACEMONT/ALDERLAKE_N/
 * Drop unsupported AMD family: 0x1a]
Signed-off-by: Amit Shah <amit.shah@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent a4fff4e5

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 21363d9c
· Nov 05, 2025

mentioned in commit 21363d9c

mentioned in commit 21363d9cdc9597338884ccab173796eb07d9a8ff

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 08c3bb4d
· Nov 05, 2025

mentioned in commit 08c3bb4d

mentioned in commit 08c3bb4d118ad494fb39c98fa897584c4dc00e19

Toggle commit list

Please to comment