SWAPGS: Meltdown may be over, Spectre looms

Meltdown and Spectre with some ominous figure
Meltdown and Spectre with some ominous figure

Meltdown and Spectre are, without doubt, the worst vulnerabilities discovered in the last decade, thanks to a joint effort between software vendors, fixes were rolled out before things could become catastrophic. While everything seems to have settled down for Meltdown, Spectre is still hanging around in many variants, one of these is SWAPGS, and it can bypass existing Spectre fixes.

Another speculation, another misfortune

The x86 family of microprocessors implements a feature known as memory “segmentation” in which all memory addresses are formed from a segment base address, plus an offset within that segment. The architecture defines segment registers (CS, DS, SS, ES, FS, GS) that may be used in building a complete memory address, with some used implicitly by certain instructions.

The “FS” and “GS” registers can be used in 64-bit mode to provide an offset into memory ranges reserved for specific data. For example, Linux uses “GS” to store TLS (Thread Local Storage) pointers in userspace (user) applications, and to serve as an offset into per_cpu data for a given processor when in-kernel. The “SWAPGS” instruction is used on 64-bit entry into kernel code to swap the current user space value of “GS” with the value intended to be used during kernel operations. Red Hat

SWAPGS is a Spectre v1 variant that allows an unprivileged local attacker to access privileged memory that could contain important information. The vulnerability has been assigned CVE-2019-1125.

Who is (not) affected?

While this is a Spectre variant, it doesn’t affect ARM processors. The vulnerability can be primarily found in x86_64 machines, and more specifically Intel processors. AMD believes its products are not impacted and the existing Spectre fixes should already cover the only exploitable scenario.

The fix

No CPU microcode is needed to fix the issue, but a software patch is needed even if the system has already been patched against Spectre. Microsoft has already released the fix in KB4507453. A patched Linux kernel is required to mitigate the issue.

Since these fixes are software, the patches weigh on system performance. This fix, once applied, sits on top of others Spectre/Meltdown patches further deteriorating system performance. For benchmarks please refer to Phoronix.

Image courtesy of mark | marksei

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.