Xen project Mailing List

Xen Security Advisory 433 v2 (CVE-2023-20593) - x86/AMD: Zenbleed

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Wed, 26 Jul 2023 11:13:04 +0000

Cc: Xen.org security team <security-team-members@xxxxxxx>

Delivery-date: Wed, 26 Jul 2023 11:13:32 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-20593 / XSA-433 version 2 x86/AMD: Zenbleed UPDATES IN VERSION 2 ==================== Include the CVE, which was missed accidentally in the rush of timelines repeatedly moving underfoot. ISSUE DESCRIPTION ================= Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers. When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong micro-architectural state becoming architectural, and corrupting the vector registers. Note: While this malfunction is related to speculative execution, this is not a speculative sidechannel vulnerability. The corruption is not random. It happens to be stale values from the physical vector register file, a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from the sibling thread, or from a more privileged context. For more details, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8 IMPACT ====== With very low probability, corruption of the vector registers can occur. This data corruption causes mis-calculations in subsequent logic. An attacker can exploit this bug to read data from different contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS instructions, commonly used to implement memcpy(). VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. This bug is specific to the AMD Zen2 microarchitecture. AMD do not believe that other microarchitectures are affected. MITIGATION ========== This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. RESOLUTION ========== AMD are producing microcode updates to address the bug. Consult your dom0 OS vendor. This microcode is effective when late-loaded, which can be performed on a live system without reboot. In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa433.patch xen-unstable xsa433-4.17.patch Xen 4.17.x xsa433-4.16.patch Xen 4.16.x xsa433-4.15.patch Xen 4.15.x xsa433-4.14.patch Xen 4.14.x $ sha256sum xsa433* a9331733b63e3e566f1436a48e9bd9e8b86eb48da6a8ced72ff4affb7859e027 xsa433.patch 6f1db2a2078b0152631f819f8ddee21720dabe185ec49dc9806d4a9d3478adfd xsa433-4.14.patch ca3a92605195307ae9b6ff87240beb52a097c125a760c919d7b9a0aff6e557c0 xsa433-4.15.patch e5e94b3de68842a1c8d222802fb204d64acd118e3293c8e909dfaf3ada23d912 xsa433-4.16.patch 41d12104869b7e8307cd93af1af12b4fd75a669aeff15d31b234dc72981ae407 xsa433-4.17.patch $ NOTE CONCERNING TIMELINE ======================== This issue is subject to coordinated disclosure on August 8th. The discoverer chose to publish details ahead of this timeline. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmTA/2cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ0EIH/02n/gvMGF5RCwfs/uvwjsQASAgELWTgAFv+tXOG yLZWCxNkWAWDxTWAEWfdcSsLCN8GDc4c6lNuhqnV3mVsIDiGSHmXgSkI9pcCQ79T 2KTgC+ncMM4yeYTI5SUL4xvzzIQ/38t5gK5+AyPxg3jpMhCLEz2dJwbjgd4CKai+ ax+l3cX9ibLj/lQQwvgkPXweAVsfILnCAB5J1VQb1Jw0DWauYJLurMj0flz82a2O NftdEx3b5ADDxXHdE52J5p/kpXMDohdPm0R07Y63j+eY+QJADLHfwE+n4pqyzvDf kPEGUtxbcCj4VygmO6xrHgoHYqaGbRYeHJyHEt4jpZDLwP4= =9wn5 -----END PGP SIGNATURE-----

Attachment: xsa433.patch
Description: Binary data

Attachment: xsa433-4.14.patch
Description: Binary data

Attachment: xsa433-4.15.patch
Description: Binary data

Attachment: xsa433-4.16.patch
Description: Binary data

Attachment: xsa433-4.17.patch
Description: Binary data

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.