CVE-2022-42336

2023-05-1700:00:00

ubuntu.com

mishandling

ssbd selection

amd hardware

logic

coordination

core level

under or overflow

thread counter

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Mishandling of guest SSBD selection on AMD hardware The current logic to
set SSBD on AMD Family 17h and Hygon Family 18h processors requires that
the setting of SSBD is coordinated at a core level, as the setting is
shared between threads. Logic was introduced to keep track of how many
threads require SSBD active in order to coordinate it, such logic relies on
using a per-core counter of threads that have SSBD active. When running on
the mentioned hardware, it’s possible for a guest to under or overflow the
thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets
propagated to the helper that does the per-core active accounting.
Underflowing the counter causes the value to get saturated, and thus
attempts for guests running on the same core to set SSBD won’t have effect
because the hypervisor assumes it’s already active.

Notes

Author	Note
mdeslaur	hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchxen< anyUNKNOWN
ubuntu20.04noarchxen< anyUNKNOWN
ubuntu22.04noarchxen< anyUNKNOWN
ubuntu23.10noarchxen< anyUNKNOWN
ubuntu24.04noarchxen< anyUNKNOWN
ubuntu16.04noarchxen< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	xen	< any	UNKNOWN
ubuntu	20.04	noarch	xen	< any	UNKNOWN
ubuntu	22.04	noarch	xen	< any	UNKNOWN
ubuntu	23.10	noarch	xen	< any	UNKNOWN
ubuntu	24.04	noarch	xen	< any	UNKNOWN
ubuntu	16.04	noarch	xen	< any	UNKNOWN