CVE-2024-50102

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86: fix user address masking non-canonical speculation issue<br /> <br /> It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical<br /> accesses in kernel space. And so using just the high bit to decide<br /> whether an access is in user space or kernel space ends up with the good<br /> old "leak speculative data" if you have the right gadget using the<br /> result:<br /> <br /> CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“<br /> <br /> Now, the kernel surrounds the access with a STAC/CLAC pair, and those<br /> instructions end up serializing execution on older Zen architectures,<br /> which closes the speculation window.<br /> <br /> But that was true only up until Zen 5, which renames the AC bit [1].<br /> That improves performance of STAC/CLAC a lot, but also means that the<br /> speculation window is now open.<br /> <br /> Note that this affects not just the new address masking, but also the<br /> regular valid_user_address() check used by access_ok(), and the asm<br /> version of the sign bit check in the get_user() helpers.<br /> <br /> It does not affect put_user() or clear_user() variants, since there&amp;#39;s no<br /> speculative result to be used in a gadget for those operations.