CVE-2024-56761

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fred: Clear WFE in missing-ENDBRANCH #CPs<br /> <br /> An indirect branch instruction sets the CPU indirect branch tracker<br /> (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted<br /> across the instruction boundary. When the decoder finds an<br /> inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP<br /> fault.<br /> <br /> For the "kernel IBT no ENDBR" selftest where #CPs are deliberately<br /> triggered, the WFE state of the interrupted context needs to be<br /> cleared to let execution continue. Otherwise when the CPU resumes<br /> from the instruction that just caused the previous #CP, another<br /> missing-ENDBRANCH #CP is raised and the CPU enters a dead loop.<br /> <br /> This is not a problem with IDT because it doesn&amp;#39;t preserve WFE and<br /> IRET doesn&amp;#39;t set WFE. But FRED provides space on the entry stack<br /> (in an expanded CS area) to save and restore the WFE state, thus the<br /> WFE state is no longer clobbered, so software must clear it.<br /> <br /> Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the<br /> !ibt_fatal code path when execution is allowed to continue.<br /> <br /> Clobbering WFE in any other circumstance is a security-relevant bug.<br /> <br /> [ dhansen: changelog rewording ]