VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 20, 2018· Updated Aug 5, 2024

CVE-2018-15594

CVE-2018-15594

Description

arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.

Affected products

62

Patches

1
5800dc5c19f3

x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

https://github.com/torvalds/linuxPeter ZijlstraAug 3, 2018via osv
commit
1 file changed · +10 4
  • arch/x86/kernel/paravirt.c+10 4 modified
    @@ -88,10 +88,12 @@ unsigned paravirt_patch_call(void *insnbuf,
 	struct branch *b = insnbuf;
 	unsigned long delta = (unsigned long)target - (addr+5);
 
-	if (tgt_clobbers & ~site_clobbers)
-		return len;	/* target would clobber too much for this site */
-	if (len < 5)
+	if (len < 5) {
+#ifdef CONFIG_RETPOLINE
+		WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
+#endif
 		return len;	/* call too long for patch site */
+	}
 
 	b->opcode = 0xe8; /* call */
 	b->delta = delta;
@@ -106,8 +108,12 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
 	struct branch *b = insnbuf;
 	unsigned long delta = (unsigned long)target - (addr+5);
 
-	if (len < 5)
+	if (len < 5) {
+#ifdef CONFIG_RETPOLINE
+		WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
+#endif
 		return len;	/* call too long for patch site */
+	}
 
 	b->opcode = 0xe9;	/* jmp */
 	b->delta = delta;

Vulnerability mechanics

Root cause

"An incorrect clobber check in `paravirt_patch_call` prevents the kernel from rewriting indirect calls to direct calls, leaving them vulnerable to Spectre-v2 attacks."

Attack vector

An attacker can exploit this by targeting paravirtual guests where the kernel fails to rewrite indirect calls to paravirtual functions, such as `pv_queued_spin_unlock` [patch_id=196257]. Because these indirect calls remain unpatched, they bypass Spectre-v2 mitigations that rely on the absence of such calls. This allows an attacker to potentially conduct Spectre-v2 attacks against the guest environment.

Affected code

The vulnerability is located in `arch/x86/kernel/paravirt.c` within the `paravirt_patch_call` function [patch_id=196257]. The function incorrectly performed a clobber check that prevented the rewriting of certain indirect calls to direct calls. This failure to patch leaves indirect calls in place, which undermines Spectre-v2 mitigations for paravirtual guests.

What the fix does

The patch removes the incorrect clobber check in `paravirt_patch_call` that was preventing the successful rewriting of indirect calls to direct calls [patch_id=196257]. By removing this check, the kernel can correctly replace indirect calls with direct calls to the same function, ensuring that Spectre-v2 mitigations are properly applied. Additionally, the patch adds `WARN_ONCE` statements to help identify cases where patching fails due to insufficient instruction space.

Preconditions

  • configThe system must be running as a paravirtual guest.

Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.