CVE-2022-29900: 
vulnerability analysis and mitigation

CVE-2022-29900 is a vulnerability discovered in AMD microprocessor families 15h to 18h, where mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. This vulnerability was disclosed in July 2022 and is part of the Retbleed speculative execution attack class (SecPod Blog, Red Hat Solution).

The vulnerability allows an attacker to hijack return instructions to achieve arbitrary speculative code execution under specific microarchitectural conditions. It is similar to Spectre v2 and can bypass conventional memory security restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD).

An unprivileged attacker can use this vulnerability to bypass memory security restrictions and gain read access to privileged memory that would otherwise be inaccessible. This is particularly concerning in public cloud environments, where it could allow data to be obtained from other VMs running on a shared hypervisor (Red Hat Solution).

AMD introduced Jmp2Ret as a software-based solution to prevent attacker-controlled BTB entry from being used to forecast privileged 'ret' instructions. For Red Hat Enterprise Linux 8/9, systems can be protected by booting with the kernel parameter 'spectre_v2=ibrs'. The mitigation can be disabled using the kernel parameter 'retbleed=off'. For RHEL 7, both parameters 'spectre_v2=retpoline,force' and 'retbleed=off' are required (Red Hat Solution, SecPod Blog).