[str3wer]

i have a C906 running linux, how can i mitigate this vulnerability?

[camel-cdr]

Most likely you have the mitigation already in place, that is disabeling the XTheadVector extension. The regular distributions don't enable it, since it's a non standard incompatible vendor extension based on a draft spec.

When I wanted to benchmark their implementation last year I patched a kernel to enable it, and needed to consult the open source part of the core [0] to figure out that they placed the enable CSR bit in a different location than the final ratified spec. [1]

[0] https://github.com/T-head-Semi/openc906 (doesn't include XTheadVector extension)

[1] https://github.com/camel-cdr/rvv-d1

[taneliv]

From the article:

> No, software updates or patches cannot fix this vulnerability because it is a hardware bug. The only mitigation is to disable the vector extension in the CPU, which unfortunately impacts the CPU’s performance.

[camel-cdr]

This almost won't impact CPU performance at all, because basically no software/packages use the XTheadVector custom extension.

[NovemberWhiskey]

Do you let people run arbitrary code on your linux box? If not, you don't have anything to worry about, as far as I can see.