Linux Kernel Speculative Safety Vulnerability in x86 FRED Extension Interrupt Handling

A vulnerability has been identified in the Linux kernel's handling of interrupts in the x86 FRED extension. The issue arises because the function 'array_index_nospec()' is ineffective if its result is spilled to the stack, making the supposedly safe value vulnerable to memory predictions. This flaw requires that 'array_index_nospec()' be used directly in the array access expression. Currently, the implementation places the index into the %ebp register across a function call, which is not secure. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to incorrect handling of interrupt vectors, potentially allowing for speculative execution attacks that manipulate memory predictions.

Reproduction

The vulnerability can be reproduced by invoking the 'fred_extint' function within the x86 FRED extension. This function will incorrectly handle the 'vector' index, as it relies on a value that has been spilled to the stack, creating a window for memory prediction attacks.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.