SWAPGS: Meltdown may be over, Spectre looms
Meltdown and Spectre are, without doubt, the worst vulnerabilities discovered in the last decade, thanks to a joint effort between software vendors, fixes were rolled out before things could become catastrophic. While everything seems to have settled down for Meltdown, Spectre is still hanging around in many variants, one of these is SWAPGS, and it can bypass existing Spectre fixes.
Another speculation, another misfortune
The x86 family of microprocessors implements a feature known as memory “segmentation” in which all memory addresses are formed from a segment base address, plus an offset within that segment. The architecture defines segment registers (CS, DS, SS, ES, FS, GS) that may be used in building a complete memory address, with some used implicitly by certain instructions.
The “FS” and “GS” registers can be used in 64-bit mode to provide an offset into memory ranges reserved for specific data. For example, Linux uses “GS” to store TLS (Thread Local Storage) pointers in userspace (user) applications, and to serve as an offset into per_cpu data for a given processor when in-kernel. The “SWAPGS” instruction is used on 64-bit entry into kernel code to swap the current user space value of “GS” with the value intended to be used during kernel operations.
SWAPGS is a Spectre v1 variant that allows an unprivileged local attacker to access privileged memory that could contain important information. The vulnerability has been assigned CVE-2019-1125.
Who is (not) affected?
While this is a Spectre variant, it doesn’t affect ARM processors. The vulnerability can be primarily found in x86_64 machines, and more specifically Intel processors. AMD believes its products are not impacted and the existing Spectre fixes should already cover the only exploitable scenario.
No CPU microcode is needed to fix the issue, but a software patch is needed even if the system has already been patched against Spectre. Microsoft has already released the fix in KB4507453. A patched Linux kernel is required to mitigate the issue.
Since these fixes are software, the patches weigh on system performance. This fix, once applied, sits on top of others Spectre/Meltdown patches further deteriorating system performance. For benchmarks please refer to Phoronix.