CVE-2023-1998: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-1998 is a vulnerability in the Linux Kernel affecting Spectre v2 SMT mitigations. The issue was discovered when it was found that on VMs of major cloud providers, the kernel still left victim processes exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The vulnerability was reported on February 20, 2023 and fixed on March 10, 2023 (GitHub Security).

The vulnerability occurs when plain IBRS (not enhanced IBRS) is enabled. The kernel's logic determined that STIBP was not needed since IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace for performance reasons, which disabled the implicit STIBP protection and left userspace threads vulnerable to cross-thread branch target injection (Linux Commit).

The vulnerability could allow a local or remote attacker to leak sensitive information from user-space applications that attempt to enable Spectre v2 mitigations. This particularly affects systems using legacy IBRS without enhanced IBRS support (Red Hat Portal).

The issue was fixed in Linux kernel 6.3 by modifying the spectre_v2_user_select_mitigation() function to allow enabling STIBP with legacy IBRS. The fix excludes IBRS from the spectre_v2_in_ibrs_mode() check to allow for enabling STIBP through seccomp/prctl() by default or always-on if selected by spectre_v2_user kernel cmdline parameter (Linux Commit).