Today's Spectre variant: branch history injection

A few days prior to the expected 5.17 release, the mainline kernel has justreceived a series of Spectre mitigations for the x86 and ARM architectures.The vulnerability this time is called "branch history injection"; it hasbeen deemed CVE-2022-0001 and CVE-2022-0002. Some information can be foundin thisIntel disclosure, thisARM advisory, and this VUSec page:

Branch History Injection (BHI or Spectre-BHB) is a new flavor ofSpectre-v2 in that it can circumvent eIBRS and CSV2 to simplifycross-privilege mistraining. The hardware mitigations do preventthe unprivileged attacker from injecting predictor entries for thekernel. However, the predictor relies on a global history to selectthe target entries to speculatively execute. And the attacker canpoison this history from userland to force the kernel to mispredictto more interesting" kernel targets (i.e., gadgets) that leakdata.

According to adocumentation patch merged into the mainline, the only known way toexploit this problem is via unprivileged BPF.