* Mon Sep 15 2025 Jon Maloy <jmaloy@redhat.com> - 9.1.0-28

- kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch [RHEL-17614] - Resolves: RHEL-17614 (VM reports Vulnerable to spec_rstack_overflow when reading status in '/sys/devices/system/cpu/vulnerabilities/')
2025-09-15 15:18:46 -04:00 · 2025-09-15 15:18:46 -04:00 · 66d026c14d
commit 66d026c14d
parent a92c51d39e
2 changed files with 78 additions and 1 deletions
--- a/kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch
+++ b/kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch
@ -0,0 +1,70 @@
+From dd03cf49fbf6a961a726506cb5264768d814d2c4 Mon Sep 17 00:00:00 2001
+From: Igor Mammedov <imammedo@redhat.com>
+Date: Mon, 5 Aug 2024 17:20:41 -0300
+Subject: [PATCH] target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the
+ guest
+
+RH-Author: Igor Mammedov <imammedo@redhat.com>
+RH-MergeRequest: 401: target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest
+RH-Jira: RHEL-17614
+RH-Acked-by: Ani Sinha <anisinha@redhat.com>
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Commit: [1/1] aa904a1ea0552fc37b61f79fda8a471928ea5d81 (imammedo/qemu-kvm-cs)
+
+According to AMD's Speculative Return Stack Overflow whitepaper (link
+below), the hypervisor should synthesize the value of IBPB_BRTYPE and
+SBPB CPUID bits to the guest.
+
+Support for this is already present in the kernel with commit
+e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be
+("KVM: x86: Add IBPB_BRTYPE support").
+
+Add support in QEMU to expose the bits to the guest OS.
+
+host:
+  # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
+  Mitigation: Safe RET
+
+before (guest):
+  $ cpuid -l 0x80000021 -1 -r
+  0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
+                            ^
+  $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
+  Vulnerable: Safe RET, no microcode
+
+after (guest):
+  $ cpuid -l 0x80000021 -1 -r
+  0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
+                            ^
+  $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
+  Mitigation: Safe RET
+
+Reported-by: Fabian Vogt <fvogt@suse.de>
+Link: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf
+Signed-off-by: Fabiano Rosas <farosas@suse.de>
+Link: https://lore.kernel.org/r/20240805202041.5936-1-farosas@suse.de
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 0701abbf9880b5ab1cf44e0caa6ad173aec840e7)
+JIRA: https://issues.redhat.com/browse/RHEL-17614
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+---
+ target/i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index ee753351fc..f75cc04cd3 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -1241,7 +1241,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+             NULL, NULL, NULL, NULL,
+             NULL, NULL, NULL, NULL,
+             "prefetchi", NULL, NULL, NULL,
+-            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, "sbpb",
+             "ibpb-brtype", "srso-no", "srso-user-kernel-no", NULL,
+         },
+         .cpuid = { .eax = 0x80000021, .reg = R_EAX, },
+-- 
+2.50.1
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -149,7 +149,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 9.1.0
-Release: 27%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 28%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -1197,6 +1197,8 @@ Patch391: kvm-ram-block-attributes-Introduce-RamBlockAttributes-to.patch
 # For RHEL-20798 - [Intel 9.6 FEAT] TDX: host: Virt-QEMU: Add safe device pass-through for TD
 # For RHEL-49728 - [Intel 9.7 FEAT] Virt-QEMU: TDX: Allow to configure apic bus clock
 Patch392: kvm-physmem-Support-coordinated-discarding-of-RAM-with-g.patch
+# For RHEL-17614 - VM reports Vulnerable to spec_rstack_overflow when reading status in '/sys/devices/system/cpu/vulnerabilities/'
+Patch393: kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch

 %if %{have_clang}
 BuildRequires: clang
@ -2272,6 +2274,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif

 %changelog
+* Mon Sep 15 2025 Jon Maloy <jmaloy@redhat.com> - 9.1.0-28
+- kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch [RHEL-17614]
+- Resolves: RHEL-17614
+  (VM reports Vulnerable to spec_rstack_overflow when reading status in '/sys/devices/system/cpu/vulnerabilities/')
+
 * Tue Sep 09 2025 Jon Maloy <jmaloy@redhat.com> - 9.1.0-27
 - kvm-target-i386-Make-invtsc-migratable-when-user-sets-ts.patch [RHEL-15710 RHEL-20798 RHEL-49728]
 - kvm-target-i386-Enable-fdp-excptn-only-and-zero-fcs-fds.patch [RHEL-15710 RHEL-20798 RHEL-49728]