CVE-2023-54172

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction<br /> <br /> On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs<br /> with ConfigVersion 9.3 or later support IBT in the guest. However,<br /> current versions of Hyper-V have a bug in that there&amp;#39;s not an ENDBR64<br /> instruction at the beginning of the hypercall page. Since hypercalls are<br /> made with an indirect call to the hypercall page, all hypercall attempts<br /> fail with an exception and Linux panics.<br /> <br /> A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux<br /> panic by clearing X86_FEATURE_IBT if the hypercall page doesn&amp;#39;t start<br /> with ENDBR. The VM will boot and run without IBT.<br /> <br /> If future Linux 32-bit kernels were to support IBT, additional hypercall<br /> page hackery would be needed to make IBT work for such kernels in a<br /> Hyper-V VM.