Spectre (CVE-2017-5753) kernel updates

As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels  whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes”). This will stop the bounds check bypass method that relies on instructions being executed after a conditional branch instruction. As sometimes the CPU is executing instructions in advance (to save time), this method takes advantage of this feature to execute instructions while the CPU is trying to determine if an input is in bounds.

Intel states that “[…]the use of an LFENCE instruction is recommended for this purpose. Serializing instructions, as well as the LFENCE instruction, will stop younger instructions from executing, even speculatively, before older instructions have retired but LFENCE is a better performance solution than other serializing instructions. An LFENCE instruction inserted after a bounds check will prevent younger operations from executing before the bound check retires.[…]”.

Let’s see an example from the Linux kernel patches/updates:

linux kernel diff

Similarly, on the Windows kernel side:

windows kernel diff