In ibprctlset of bugs.c, there is a possible way to re-enable indirect branch speculation due to a permissions bypass. This could lead to local information disclosure via a Spectre v2 attack with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 949.0, "function_hash": "337582401683084583128489187843894130475" }, "id": "ASB-A-169505929-8ef931fc", "source": "https://android.googlesource.com/kernel/common/+/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/x86/kernel/cpu/bugs.c", "function": "ib_prctl_set" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "96293375478824141631754960072640988953", "36152342845344979984605625203388829799", "8460226663272733964146612779976990208", "138461365038257326585673897414895695562", "47823671850491995274274841138110324739", "237551085397149107198675647758349576371" ] }, "id": "ASB-A-169505929-e316d259", "source": "https://android.googlesource.com/kernel/common/+/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/x86/kernel/cpu/bugs.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf" ], "spl": "2021-10-05", "severity": "High", "types": [ "ID" ] }