Xen project Mailing List

Xen Security Advisory 426 v1 (CVE-2022-27672) - x86: Cross-Thread Return Address Predictions

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Tue, 14 Feb 2023 18:03:16 +0000

Cc: Xen.org security team <security-team-members@xxxxxxx>

Delivery-date: Tue, 14 Feb 2023 18:04:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-27672 / XSA-426 x86: Cross-Thread Return Address Predictions ISSUE DESCRIPTION ================= It has been discovered that on some AMD CPUs, the RAS (Return Address Stack, also called RAP - Return Address Predictor - in some AMD documentation, and RSB - Return Stack Buffer - in Intel terminology) is dynamically partitioned between non-idle threads. This allows an attacker to control speculative execution on the adjacent thread. For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045 IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Only AMD CPUs are known to be potentially vulnerable. CPUs from other hardware vendors are not believed to be impacted. Only the Zen1 and Zen2 microarchitectures are believed to be potentially vulnerable. Other microarchitectures are not believed to be vulnerable. Only configurations with SMT activate are potentially vulnerable. If SMT is disabled by the firmware, or at runtime with `smt=0` on Xen's command line, then the platform is not vulnerable. Xen 4.17 and later contains an optimisation, specifically: c/s afab477fba3b ("x86/spec-ctrl: Skip RSB overwriting when safe to do so") which in combination with disabling 32bit PV guests (either at compile time with CONFIG_PV32=n, or at runtime with `pv=no-32` on the command line) renders Xen vulnerable to attack from PV guests. Note: multiple downstreams are known to have backported this optimisation to older versions of Xen. Consult your software vendor documentation. MITIGATION ========== On otherwise-vulnerable configurations, the issue can be mitigated by booting Xen with `spec-ctrl=rsb`, which will override the aforementioned optimisation. Alternatively, SMT can be disabled either in the firmware, or by booting Xen with `smt=0`. Alternatively, if 32bit PV guests are only runtime disabled in Xen, this issue can also be mitigated by booting Xen with `pv=32` to enable support 32bit PV guests. It is not necessary for a 32bit PV guest to actually be running in order to mitigate the issue. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa426.patch xen-unstable - Xen 4.17 $ sha256sum xsa426* 425b1d8931e02852afec9fe3d9f1d009f6d8a33c6387b2e8b3896f374732d470 xsa426.patch $ -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmPrzJoMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZiqsIALrisP3l7ImoKe49Bmb1blNYmUv6UjYGdVF9acc9 ++QYPLq4Mu+kJuIlgKnT21hj7BFczL4KSi8sVw/nLqU3x8R/ZJ6nxXLlCod6RqGw 4MYd6QmArx8a+hm3LC0288VEFVXFh0WTDA6PK15RkspiwcjsAZ4w7DA7cRk0FLP0 9KJMhSPOAj9wCDhvOckr7DnA+D6gOKjMH83NCL0rg6Xe8+Bv0qTVYe49FqAnbWwc 9RsYOKfRuZUci+Z+mALVRB97R7xvns5D9HnDvs55ADri506JWkxmdp1GvLtjezXV 3Zds6TOrr1i0RQGV9M6aouinrI+DQNrOFR8V6p98KYxAo+Y= =T8Uh -----END PGP SIGNATURE-----

Attachment: xsa426.patch
Description: Binary data

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.