|
Message-Id: <E1qQWG3-0005s9-Ra@xenbits.xenproject.org> Date: Mon, 31 Jul 2023 17:00:35 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-20593 / XSA-433 version 3 x86/AMD: Zenbleed UPDATES IN VERSION 3 ==================== The patch provided with earlier versions was buggy. It unintentionally disable more bits than expected in the control register. The contents of this register is not generally known, so the effects on the system are unknown. A patch correcting this error has been committed and backported to all stable trees which got the XSA-433 fix originally. Additionally, it is attached to this advisory as xsa433-bugfix.patch, and applicable to all branches in this form. ISSUE DESCRIPTION ================= Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers. When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong micro-architectural state becoming architectural, and corrupting the vector registers. Note: While this malfunction is related to speculative execution, this is not a speculative sidechannel vulnerability. The corruption is not random. It happens to be stale values from the physical vector register file, a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from the sibling thread, or from a more privileged context. For more details, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8 IMPACT ====== With very low probability, corruption of the vector registers can occur. This data corruption causes mis-calculations in subsequent logic. An attacker can exploit this bug to read data from different contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS instructions, commonly used to implement memcpy(). VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. This bug is specific to the AMD Zen2 microarchitecture. AMD do not believe that other microarchitectures are affected. MITIGATION ========== This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. RESOLUTION ========== AMD are producing microcode updates to address the bug. Consult your dom0 OS vendor. This microcode is effective when late-loaded, which can be performed on a live system without reboot. In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa433.patch xen-unstable xsa433-4.17.patch Xen 4.17.x xsa433-4.16.patch Xen 4.16.x xsa433-4.15.patch Xen 4.15.x xsa433-4.14.patch Xen 4.14.x xsa433-bugfix.patch xen-unstable - Xen 4.14.x $ sha256sum xsa433* a9331733b63e3e566f1436a48e9bd9e8b86eb48da6a8ced72ff4affb7859e027 xsa433.patch 6f1db2a2078b0152631f819f8ddee21720dabe185ec49dc9806d4a9d3478adfd xsa433-4.14.patch ca3a92605195307ae9b6ff87240beb52a097c125a760c919d7b9a0aff6e557c0 xsa433-4.15.patch e5e94b3de68842a1c8d222802fb204d64acd118e3293c8e909dfaf3ada23d912 xsa433-4.16.patch 41d12104869b7e8307cd93af1af12b4fd75a669aeff15d31b234dc72981ae407 xsa433-4.17.patch b197e45aef1f47b6aebc005f876e3f593c2f32b9e5164a195f487cea6e174f75 xsa433-bugfix.patch $ NOTE CONCERNING TIMELINE ======================== This issue is subject to coordinated disclosure on August 8th. The discoverer chose to publish details ahead of this timeline. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmTH6HQMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZlIoH/jv0CJKyFgiaOLp4DFeLfzKLHJDbLKywj0bv4Q3V wgrWVYwzVbpPwvuArS1dOujgEosTiUggKbzDPEpHa5reVKeeLwCBFxMrU+KYRf9h 6eglOJfiW73xxyggnvQLyh3tEGY0sQF0+OFQMsN5twiXsZS0pxLPomq0slun1VkV 8ZDl4FKjmEmAurE7fOtVdvzwZ6tKVLNaGYIm4wUwNZ0Cd4qo1GHIHsvUT9ZPFc82 jwMjCwk7Ca0Iv1GMyXESwOyR/0tLm07nT9isdkXcVFNgg8JL4f2CxGK9Vt97POEw w9KVo3SoBf+/vY4Fk4HGSXieEofzVBDjO5NkPhESEC+3oMw= =Z3fJ -----END PGP SIGNATURE----- Download attachment "xsa433.patch" of type "application/octet-stream" (4348 bytes) Download attachment "xsa433-4.14.patch" of type "application/octet-stream" (4332 bytes) Download attachment "xsa433-4.15.patch" of type "application/octet-stream" (4292 bytes) Download attachment "xsa433-4.16.patch" of type "application/octet-stream" (4301 bytes) Download attachment "xsa433-4.17.patch" of type "application/octet-stream" (4348 bytes) Download attachment "xsa433-bugfix.patch" of type "application/octet-stream" (946 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.