[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Security Advisory 426 v2 (CVE-2022-27672) - x86: Cross-Thread Return Address Predictions



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-27672 / XSA-426
                               version 2

             x86: Cross-Thread Return Address Predictions

UPDATES IN VERSION 2
====================

Xen 4.16 is vulnerable too.  The previous analysis of impacted versions
was incorrect.

The same patch is applicable to Xen 4.16, and the staging-4.16 branch
has already had the backport applied.

ISSUE DESCRIPTION
=================

It has been discovered that on some AMD CPUs, the RAS (Return Address
Stack, also called RAP - Return Address Predictor - in some AMD
documentation, and RSB - Return Stack Buffer - in Intel terminology) is
dynamically partitioned between non-idle threads.  This allows an
attacker to control speculative execution on the adjacent thread.

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Only AMD CPUs are known to be potentially vulnerable.  CPUs from other
hardware vendors are not believed to be impacted.

Only the Zen1 and Zen2 microarchitectures are believed to be potentially
vulnerable.  Other microarchitectures are not believed to be vulnerable.

Only configurations with SMT activate are potentially vulnerable.  If
SMT is disabled by the firmware, or at runtime with `smt=0` on Xen's
command line, then the platform is not vulnerable.

Xen 4.16 and later contains an optimisation, specifically:

  c/s afab477fba3b ("x86/spec-ctrl: Skip RSB overwriting when safe to do so")

which in combination with disabling 32bit PV guests (either at compile
time with CONFIG_PV32=n, or at runtime with `pv=no-32` on the command
line) renders Xen vulnerable to attack from PV guests.

Note: multiple downstreams are known to have backported this
optimisation to older versions of Xen.  Consult your software vendor
documentation.

MITIGATION
==========

On otherwise-vulnerable configurations, the issue can be mitigated by
booting Xen with `spec-ctrl=rsb`, which will override the aforementioned
optimisation.

Alternatively, SMT can be disabled either in the firmware, or by booting
Xen with `smt=0`.

Alternatively, if 32bit PV guests are only runtime disabled in Xen, this
issue can also be mitigated by booting Xen with `pv=32` to enable
support 32bit PV guests.  It is not necessary for a 32bit PV guest to
actually be running in order to mitigate the issue.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa426.patch          xen-unstable - Xen 4.16

$ sha256sum xsa426*
425b1d8931e02852afec9fe3d9f1d009f6d8a33c6387b2e8b3896f374732d470  xsa426.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmPuawUMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZW1UIAJ6tjOwbjPJigbSVVfyr5FRnIIYjzVBqkhL5ufvc
TQY6ZoPsEEkXzx+jJeVa3NveiegqNvIdK26exlp7n2NrrWCRWlrdGlp+/83TWfUA
gwxBzERTVBmi67+9razBYKzxKAwXO2zOHsvgSB2aCX43K+e9SvlKMny8Wp9j0Z99
SRGxzZ8D4I7kKnMMpQIGvp/rt5+k+Q2oxXmNHnIsnCGshF+Y+zK7VwlSEpFYE1ga
78XWYULa1qOEbaj+xsPtf9mMIiWfViwKkX7ZT/EPFBbFxGHSK/aeiQmWdNcFGI3D
6L7vfJIo1Xsw26ozja+C+m3cFPhNSYJDRj92oCKmLPl8iII=
=hFGs
-----END PGP SIGNATURE-----

Attachment: xsa426.patch
Description: Binary data


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.