|
Message-Id: <E1nVECT-0001Tb-3o@xenbits.xenproject.org> Date: Fri, 18 Mar 2022 15:07:33 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 398 v2 - Multiple speculative security issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-398 version 2 Multiple speculative security issues UPDATES IN VERSION 2 ==================== * Provide more specific ARM URL * Provide additional link to the Intel technical whitepaper ISSUE DESCRIPTION ================= Note: Multiple issues are contained in this XSA due to their interactions. 1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining to the use of Branch History between privilege levels. ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI). AMD have no statement at the time of writing. For more details, see: https://vusec.net/projects/bhi-spectre-bhb https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html 2) Researchers at Open Source Security, Inc. have discovered that AMD CPUs may speculate beyond direct branches. AMD have assigned CVE-2021-26341. For more details, see: https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026 3) Researchers at Intel have discovered that previous Spectre-v2 recommendations of using lfence/jmp is incomplete. AMD have assigned CVE-2021-26401. For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor. Xen does not have a managed runtime environment, so is not believed to be vulnerable to CVE-2022-0002 irrespective of any hardware susceptibility. Xen does not have any known gadgets vulnerable to Direct Branch Straight Line Speculation. Therefore, no changes for CVE-2021-26341 are being provided at this time. The AMD BTI (Spectre v2) protections do not depend on isolating predictions between different privileges, so the fact that Branch History is shared (just like the Branch Target Buffer) is not believed to be relevant to existing mitigations. Therefore, there is no believed impact from Spectre-BHB on AMD hardware. Patches to mitigate CVE-2022-23960 on affected ARM CPUs are provided. Intel have recommended not making any changes by default for CVE-2022-0001. Existing Spectre-v2 mitigations on pre-eIBRS hardware are believed to be sufficient. On eIBRS capable hardware, there is uncertainty over the utility of Branch History Injection to an adversary. However, the risk can be removed by using eIBRS in combination with retpoline. For CVE-2021-26401, AMD have recommended using retpoline in preference to lfence/jmp as previously recommended to mitigate Spectre-v2. This recommendation also mitigates any risk from Branch History Injection. For both CVE-2022-0001 on Intel, and CVE-2021-26401 on AMD, the suggestion to use retpoline is incompatible with CET Shadow Stacks as implemented in Xen 4.14 and later. The security team has decided that disabling CET Shadow Stacks to work around speculation problems is not a reasonable option for downstreams and end users. Therefore, patches are also provided to: * Use IBRS on capable AMD hardware. This also mitigates CVE-2021-26401. * Use CET Indirect Branch Tracking on capable Intel hardware. CET-IBT has architectural guarantees about halting speculation, on top of being a hardware mechanism to protect against Call/Jump Oriented Programming attacks. Both provide CET Shadow Stack compatible mitigations to these issues. A practical consequence of this decision is that CET Shadow Stacks are now considered security supported, upgraded from Tech Preview previously. Note: CET-IBT patches are incomplete and will be backported at a later date. MITIGATION ========== On AMD systems, CVE-2021-26401 can be mitigated by specifying: With CET-SS, `spec-ctrl=bti-thunk=jmp,ibrs` Without CET-SS, `spec-ctrl=bti-thunk=retpoline` on Xen's command line, and rebooting. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa398/xsa398-?-*.patch xen-unstable xsa398/xsa398-4.16-*.patch Xen 4.16.x xsa398/xsa398-4.15-*.patch Xen 4.15.x xsa398/xsa398-4.14-*.patch Xen 4.14.x xsa398/xsa398-4.13-*.patch Xen 4.13.x xsa398/xsa398-4.12-*.patch Xen 4.12.x $ sha256sum xsa398* xsa398*/* 9219c48d103a7eeda0fa9cbb5fc5b2265713589e29a9a483d0f3fb6523859903 xsa398.meta 32e7a7627609de2273fe474979e339f6a578cbcf7ce007b6a047954a31aec135 xsa398/xsa398-1-xen-arm-Introduce-new-Arm-processors.patch ef701fd64cfdd838299391cd736749db70ac3b18251d17768d42f4a610dda1be xsa398/xsa398-2-xen-arm-move-errata-CSV2-check-earlier.patch 4d574bc40555f068608a595ade23ecdc224f8c0af86f447cba6e765d4ccde3ad xsa398/xsa398-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch 29a2880ab4fa492deecd2f3dc590609d0df5e9210565ab4121be0d731c4140b0 xsa398/xsa398-4.12-1-xen-arm-Introduce-new-Arm-processors.patch b81eb6a0f8ecde53318eeff1ec8bf1b3fd5f1b211a499317f6c596e831a90101 xsa398/xsa398-4.12-2-xen-arm-move-errata-CSV2-check-earlier.patch a9f5adc44eeeaf5a694f94c91a32e714c765bbcf61066a03e3c52d79d28a3366 xsa398/xsa398-4.12-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch e70d4c06f789c8f5f45c7e27289f8c7aa4c448a6e33f67fb113630ed79382fd9 xsa398/xsa398-4.12-4-xen-arm-Add-Spectre-BHB-handling.patch 6766c0b0d89f3be90046c05358e8b7c43c87b3e1012118af013faa098e783e74 xsa398/xsa398-4.12-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch fd047878fd53e130cd7d8cfd1d50334a958e7e962606afaacd5aa1da186f6341 xsa398/xsa398-4.12-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch 1ef4fae89d2bc75e33eb6c8e5f55d0b6f5ba45a274f6d3b5ea7e2eef4c08ad63 xsa398/xsa398-4.13-1-xen-arm-Introduce-new-Arm-processors.patch b0c25a34055dd5401dff1686f4f7ab978c6a449a76aa0e1b369f483fa184851a xsa398/xsa398-4.13-2-xen-arm-move-errata-CSV2-check-earlier.patch c6ffa2818480740dc30e232215531ab69c252e564df365c466e759886b207450 xsa398/xsa398-4.13-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch a272621b1f03b2096a41d675b3ed46ff2c737cd2afcb3e2156a7ec2f8c31748b xsa398/xsa398-4.13-4-xen-arm-Add-Spectre-BHB-handling.patch 8df9f4d3e7bd154246ebe7cd1bc0908ead1076aa35c0a183cd95359aa2173ad0 xsa398/xsa398-4.13-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch 02c3a3c45bf3c2592bbc809ce4a8eb24d0b9d31856e9641d5566af68ebf2b476 xsa398/xsa398-4.13-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch 59edd0b8303a39451893d425b8e7ab8aeacf3e6d0bf460ba66a3a323dc0e3145 xsa398/xsa398-4.14-1-xen-arm-Introduce-new-Arm-processors.patch 60bd3003759404b60fd8a7dcf0de87a13463bf64c3724f8fe6570e07c515cecb xsa398/xsa398-4.14-2-xen-arm-move-errata-CSV2-check-earlier.patch 138511c69d00ef1dc0dfe5432af06d744e7b66945bada78024e343943fc001f2 xsa398/xsa398-4.14-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch 9c1b338511422629c98f11c42da27b1cd82435decc0531bca6b8a51218909101 xsa398/xsa398-4.14-4-xen-arm-Add-Spectre-BHB-handling.patch 1a212de641ac1cebfc1aee32c55e9f8bfac6b059f5419ed62589eed99cc0dea5 xsa398/xsa398-4.14-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch da382a5baee60ecdf8b4cb0da2c1901b23f324b03dbbe33018fb825e70f78446 xsa398/xsa398-4.14-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch 296e5fdd53328e768908a4e790959841264a410548b4f52f7ccdcf793e9aca7a xsa398/xsa398-4.15-1-xen-arm-Introduce-new-Arm-processors.patch 4498957a1f91c69e2a72cfcfb88804537ee0c05f05fa5d898f452a4dc8205f9e xsa398/xsa398-4.15-2-xen-arm-move-errata-CSV2-check-earlier.patch 2f2b9ec3945283e48486cfd32d5b4343892040d48adc105a89e15953a128df3d xsa398/xsa398-4.15-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch 6d0ade4dfb59fc87c7ae22e4faa333fb5ccef5ecc595de58ef9bcf35f4e3eb26 xsa398/xsa398-4.15-4-xen-arm-Add-Spectre-BHB-handling.patch 77a0a93cd9617c8f0ec0bab1b79f6ed60cab20f5b6ea76a9b6158c4d3a1d0d89 xsa398/xsa398-4.15-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch 7df5b320c5887c72c8ed4ffe5b4bcdce9263fde76fe6a67e0876933f8d1ebcff xsa398/xsa398-4.15-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch 92bdba8102f88a2c9d71b46df4db43176fbf0082f9d438101407dbb7e6d458c6 xsa398/xsa398-4.16-1-xen-arm-Introduce-new-Arm-processors.patch 0c9a6fbebc13a0dee288d67a94562fd76e3c6aec20b543c66ac2c16a812973ee xsa398/xsa398-4.16-2-xen-arm-move-errata-CSV2-check-earlier.patch 4f084857ed79af49d2814c02ff6e090a14d77bb0f0d29ac6ddce3576fdb98c68 xsa398/xsa398-4.16-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch 8032757effe8dbc5ef8479403461e604b1520f007489620eace3857b467a4fe2 xsa398/xsa398-4.16-4-xen-arm-Add-Spectre-BHB-handling.patch 3763998bb62d9b251b9358edff220fd22847729768c98dbd46362c290041025b xsa398/xsa398-4.16-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch 114f07da2d79f45e0fa45c826c308b273e8c29b6d458bac10fe1aa231a3c2748 xsa398/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch 1bedca674ecee5437e492e2f71275cd32e799d839d26a8f0d75ddee44db2e4d2 xsa398/xsa398-4-xen-arm-Add-Spectre-BHB-handling.patch 6d63089af3eca863599bbe20e26f1f12d2d9c9b637317e7af44fc59750b09f77 xsa398/xsa398-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch f79e357079744bbee3e1f7d99d93196e925739297a16fdd8bc1cc86d3b846ce3 xsa398/xsa398-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch $ -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmI0maAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ/kMIAKi717qEq8DKT4tIzIUzSdK1TuZacTC1ab9MI6Ch LNK/+ra8TYB/o773nF7WXAHJLQkl8qoRG2zZMRPaKTSMjRQaj2J96/8Jk/Th2Ocu jb4n1XjJ72BJNwGgegjsPqJvKnv4HWT/pNnHciYKSHB0tPSoOvySlNZAhvTXIM7a aOekPV+cYVrBRM3JEIvcdaPJBpJHil1erkIlaDQy4tUHzYgHzvE/SQ/lEMFCzEsD Bd70bTxmojn11Z6TcNPdMv2TPNQcuQvVrzJh0EhKqfGwO6bGbI5jffWs7NIPQ7PU 2OBSYYKa2kv0u1/5XxykqgXrdE34VV8gYXhDUKMvWFGe6d0= =xHd2 -----END PGP SIGNATURE----- Download attachment "xsa398.meta" of type "application/octet-stream" (1623 bytes) Download attachment "xsa398/xsa398-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3196 bytes) Download attachment "xsa398/xsa398-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1807 bytes) Download attachment "xsa398/xsa398-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (3023 bytes) Download attachment "xsa398/xsa398-4.12-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3333 bytes) Download attachment "xsa398/xsa398-4.12-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1876 bytes) Download attachment "xsa398/xsa398-4.12-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (2478 bytes) Download attachment "xsa398/xsa398-4.12-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12577 bytes) Download attachment "xsa398/xsa398-4.12-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3436 bytes) Download attachment "xsa398/xsa398-4.12-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (2618 bytes) Download attachment "xsa398/xsa398-4.13-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3245 bytes) Download attachment "xsa398/xsa398-4.13-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1876 bytes) Download attachment "xsa398/xsa398-4.13-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (2480 bytes) Download attachment "xsa398/xsa398-4.13-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12581 bytes) Download attachment "xsa398/xsa398-4.13-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3436 bytes) Download attachment "xsa398/xsa398-4.13-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (2618 bytes) Download attachment "xsa398/xsa398-4.14-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3245 bytes) Download attachment "xsa398/xsa398-4.14-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1876 bytes) Download attachment "xsa398/xsa398-4.14-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (2480 bytes) Download attachment "xsa398/xsa398-4.14-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12581 bytes) Download attachment "xsa398/xsa398-4.14-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3436 bytes) Download attachment "xsa398/xsa398-4.14-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (5522 bytes) Download attachment "xsa398/xsa398-4.15-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3245 bytes) Download attachment "xsa398/xsa398-4.15-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1876 bytes) Download attachment "xsa398/xsa398-4.15-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (2469 bytes) Download attachment "xsa398/xsa398-4.15-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12597 bytes) Download attachment "xsa398/xsa398-4.15-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3436 bytes) Download attachment "xsa398/xsa398-4.15-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (5522 bytes) Download attachment "xsa398/xsa398-4.16-1-xen-arm-Introduce-new-Arm-processors.patch" of type "application/octet-stream" (3245 bytes) Download attachment "xsa398/xsa398-4.16-2-xen-arm-move-errata-CSV2-check-earlier.patch" of type "application/octet-stream" (1876 bytes) Download attachment "xsa398/xsa398-4.16-3-xen-arm-Add-ECBHB-and-CLEARBHB-ID-fields.patch" of type "application/octet-stream" (3052 bytes) Download attachment "xsa398/xsa398-4.16-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12577 bytes) Download attachment "xsa398/xsa398-4.16-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3436 bytes) Download attachment "xsa398/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (5522 bytes) Download attachment "xsa398/xsa398-4-xen-arm-Add-Spectre-BHB-handling.patch" of type "application/octet-stream" (12568 bytes) Download attachment "xsa398/xsa398-5-xen-arm-Allow-to-discover-and-use-SMCCC_ARCH_WORKARO.patch" of type "application/octet-stream" (3367 bytes) Download attachment "xsa398/xsa398-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch" of type "application/octet-stream" (5583 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.