-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2024-31142 / XSA-455
version 4
x86: Incorrect logic for BTC/SRSO mitigations
UPDATES IN VERSION 4
====================
Public release.
Correct references to prior XSAs. The XSA fixing Branch Type Confusion
was XSA-407, not XSA-422 as previously stated.
ISSUE DESCRIPTION
=================
Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.
For more details, see:
https://xenbits.xen.org/xsa/advisory-407.html
https://xenbits.xen.org/xsa/advisory-434.html
IMPACT
======
XSAs 407 and 434 are unmitigated, even when the patches are in place.
VULNERABLE SYSTEMS
==================
All versions of Xen containing the XSA-407 fixes are vulnerable.
See XSAs 407 and 434 for details on which hardware is susceptible to
BTC/SRSO.
MITIGATION
==========
There are no mitigations.
CREDITS
=======
This issue was discovered by Andrew Cooper of XenServer.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that the Xen Security Team is intending to produce releases on all
stable trees, on the public embargo. Therefore, this fix is expected to
be contained in the following release tags:
RELEASE-4.18.2
RELEASE-4.17.4
RELEASE-4.16.6
RELEASE-4.15.6
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa455.patch xen-unstable - Xen 4.17.x
xsa455-4.16.patch Xen 4.16.x - Xen 4.15.x
$ sha256sum xsa455*
96bcfcc0ce1afcc54f637c728ab5250c65f0a5a1d8ccfc59ac5d496baf1a53a4 xsa455.patch
02e3fe13ac68f665534fabae1520254d5d1832fef7c95fceb190be3b9944a5e1 xsa455-4.16.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmYVbQcMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZsY4IAJnYJTEEzhdG9+Qy/gcgwiKFB6lA5D6hQ1kAD739
fOh4GyA0ZYRLpfw8J4sVgYmPKl+S0Rx1qdt9X2GHVNIq5FqtFytx3lQt1VF4BTW6
kRHqqccHLKIo0MCRcNBw9wtn5BSQXpmJO9jpsazrBwxMPZpf2Z4mQhMO0aRxq2k7
Oyxz2O1ElNXzItuXM4ZT4OSR2pISjLC5mhKcauH3m/ecAbUwqEf6CjpvLXt7iI/0
OUqnZ7gO4m8fPoIaA0iT51o5Pb/EXTLnvyIrnlOL5C+xyNB8pQETP+cJZSnYYYWX
eNwQ+LwEgSHptPP09cbNFOnf+r1eJR22haPL2sMPveGbKRY=
=LR1k
-----END PGP SIGNATURE-----
From 5bc561024f81371ff267edae73ae4a768b2f7a91 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 26 Mar 2024 22:47:25 +0000
Subject: x86/spec-ctrl: Fix BTC/SRSO mitigations
We were looking for SCF_entry_ibpb in the wrong variable in the top-of-stack
block, and xen_spec_ctrl won't have had bit 5 set because Xen doesn't
understand SPEC_CTRL_RRSBA_DIS_U yet.
This is XSA-455 / CVE-2024-31142.
Fixes: 53a570b28569 ("x86/spec-ctrl: Support IBPB-on-entry")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
index 60b0b00ed0af..071b3997b1c0 100644
--- a/xen/arch/x86/hvm/svm/entry.S
+++ b/xen/arch/x86/hvm/svm/entry.S
@@ -101,7 +101,7 @@ __UNLIKELY_END(nsvm_hap)
/* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */
.macro svm_vmexit_cond_ibpb
- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
jz .L_skip_ibpb
mov $MSR_PRED_CMD, %ecx
diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
index 629518cc6925..c19b39d8c200 100644
--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
+++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
@@ -90,7 +90,7 @@
jz .L\@_skip
testb $3, UREGS_cs(%rsp)
.else
- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
.endif
jz .L\@_skip
From 909cdde9f126beac9888e6a1ff21f0414ef86fdb Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 26 Mar 2024 22:47:25 +0000
Subject: x86/spec-ctrl: Fix BTC/SRSO mitigations
We were looking for SCF_entry_ibpb in the wrong variable in the top-of-stack
block, and xen_spec_ctrl won't have had bit 5 set because Xen doesn't
understand SPEC_CTRL_RRSBA_DIS_U yet.
This is XSA-455 / CVE-2024-31142.
Fixes: 53a570b28569 ("x86/spec-ctrl: Support IBPB-on-entry")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
index ad5ca50c12e2..d1ca530315fe 100644
--- a/xen/arch/x86/hvm/svm/entry.S
+++ b/xen/arch/x86/hvm/svm/entry.S
@@ -101,7 +101,7 @@ __UNLIKELY_END(nsvm_hap)
/* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */
.macro svm_vmexit_cond_ibpb
- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
jz .L_skip_ibpb
mov $MSR_PRED_CMD, %ecx
diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h
index 6e7725c11f3a..9416483c0b26 100644
--- a/xen/include/asm-x86/spec_ctrl_asm.h
+++ b/xen/include/asm-x86/spec_ctrl_asm.h
@@ -102,7 +102,7 @@
jz .L\@_skip
testb $3, UREGS_cs(%rsp)
.else
- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
.endif
jz .L\@_skip
© 2016 - 2024 Red Hat, Inc.