Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1rk5a7-0008Qz-OY@xenbits.xenproject.org>
Date: Tue, 12 Mar 2024 17:06:27 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 453 v1 (CVE-2024-2193) - GhostRace:
 Speculative Race Conditions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2024-2193 / XSA-453

                GhostRace: Speculative Race Conditions

ISSUE DESCRIPTION
=================

Researchers at VU Amsterdam and IBM Research have discovered GhostRace;
an analysis of the behaviour of synchronisation primitives under
speculative execution.

Synchronisation primitives are typically formed as an unbounded loop
which waits until a resource is available to be accessed.  This means
there is a conditional branch which can be microarchitecturally bypassed
using Spectre-v1 techniques, allowing an attacker to speculatively
execute critical regions.

Therefore, while a critical region might be safe architecturally, it can
still suffer from data races under speculation with unsafe consequences.

The GhostRace paper focuses on Speculative Concurrent Use-After-Free
issues, but notes that there are many other types of speculative data
hazard to be explored.

For more details, see:
  https://vusec.net/projects/ghostrace

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

GhostRace is a variation of Spectre-v1, and Spectre-v1 is known to
affect a wide range of CPU architectures and designs.  Consult your
hardware vendor.

However, Xen does not have any known gadgets vulnerable to GhostRace at
the time of writing.

Furthermore, even with the vulnerable instance found in Linux, the
researchers had to insert an artificial syscall to make the instance
more accessible to a userspace attacker.

Therefore, The Xen Security Team does not believe that immediate action
is required.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Out of caution, the Xen Security Team have provided hardening patches
including the addition of a new LOCK_HARDEN mechanism on x86 similar to
the existing BRANCH_HARDEN.

LOCK_HARDEN is off by default, owing to the uncertainty of there being a
vulnerability under Xen, and uncertainty over the performance impact.

However, we expect more research to happen in this area, and feel it is
prudent to have a mitigation in place.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa453/xsa453-?.patch           xen-unstable
xsa453/xsa453-4.18-?.patch      Xen 4.18.x
xsa453/xsa453-4.17-?.patch      Xen 4.17.x
xsa453/xsa453-4.16-?.patch      Xen 4.16.x
xsa453/xsa453-4.15-?.patch      Xen 4.15.x

$ sha256sum xsa453*/*
5487c6595b114187191e09bc5d7510d228a018ca98bc43ef58f8225fbd843636  xsa453/xsa453-1.patch
1d4ae5ce07f6869dbc20342289d8a00937868014b1c8a69054815cce7a836761  xsa453/xsa453-2.patch
a873074149a74ce1f6252cdaa20e5432930f77caf59cf328ce6c2e0b000e1f3b  xsa453/xsa453-3.patch
12b3e60005f50df1b7050984f0b7545eadc5e99425dae3b4d186c67a4caaeee4  xsa453/xsa453-4.15-1.patch
0b242be1d3fa0c4bcbb3e7755c0267ec6d307c75eec2e7348d8405017af0ab06  xsa453/xsa453-4.15-2.patch
2d17d1586e4b20a5c7677c3ab4553971251c123570c05d1adfede671f5e1d501  xsa453/xsa453-4.15-3.patch
8d209d1c9d3585bd190f9c97d866ff30ef18514ebf874869e5881b5856d3b81e  xsa453/xsa453-4.15-4.patch
350dbcb1f22874f5545936c307a69ae8acd8eef5f24dfccfe2ba2d1e8997c14d  xsa453/xsa453-4.15-5.patch
334fe9512a90c84210a010d9aff82b96eac00d9beb8291a243339e5ca9fb69c2  xsa453/xsa453-4.15-6.patch
bc3781df298eba4b306b742a8b06869eb83c5619a4dd3ae0ddd746a96708e3ea  xsa453/xsa453-4.15-7.patch
b8f0798863f70c65b20809f6749ef17e098f74e944386a7c8199396a7aab7295  xsa453/xsa453-4.15-8.patch
85c66b0f6fad0df2a705a48f75506142cacdf39bab1b68bb22ce4924d3ddae1c  xsa453/xsa453-4.16-1.patch
35416e86df8b55e0d165edef33557d3232c6c7b56ea36fb12278242134279fae  xsa453/xsa453-4.16-2.patch
1f6f09b860d7dc4add0356dd544d85faab6750a5dc72d15438e77322498c0d39  xsa453/xsa453-4.16-3.patch
8d209d1c9d3585bd190f9c97d866ff30ef18514ebf874869e5881b5856d3b81e  xsa453/xsa453-4.16-4.patch
350dbcb1f22874f5545936c307a69ae8acd8eef5f24dfccfe2ba2d1e8997c14d  xsa453/xsa453-4.16-5.patch
f03fba4192ec375220557c6488986c4bb0acb130fcdc61c0a3fe7bb48ffeaf98  xsa453/xsa453-4.16-6.patch
702330fe49015e174fac88cc290cc4ba78af97cc27ca6ac6d612a7f3de264ca1  xsa453/xsa453-4.16-7.patch
cc25536abac03b92a3486df8db4a89aecb8447aa1d31870def4ebf90782017df  xsa453/xsa453-4.16-8.patch
9b0e67756cb0f98721f748f76b767da88cad22969bf32052f9171e0260c8c596  xsa453/xsa453-4.17-1.patch
1cde6cae3738a380d35b769d44344d8e92585d9f4f8bccff1cae933b3d7dd5c8  xsa453/xsa453-4.17-2.patch
dbd117b3482ff24b146ee4936a691ed796ae073abd1c66db5cb5b5ede04c82ea  xsa453/xsa453-4.17-3.patch
00f78778eb392aeda13803bb321d255335fea27abd3beb8fcc70a49ce81fcb3c  xsa453/xsa453-4.17-4.patch
9bad3d96b74ceb9ce6232d4b4e434f7a023ad6ed31f6ff074869e037f6b296c6  xsa453/xsa453-4.17-5.patch
d62b1014347fcb7b6575fe0a1145b358719154655afd007a36739f6fe10cb4d6  xsa453/xsa453-4.17-6.patch
ba6597f3bf859ae38eef675e3540fc8f79dd2a672486c0fbe31a5740cafeffcd  xsa453/xsa453-4.17-7.patch
eb92c317c367689e401d20ce9ff2e5e5b5c551bc8f36424012ccc71c3df240e3  xsa453/xsa453-4.17-8.patch
70334588834939d8e06f0ec3edec2f0e10c1fc5af11aac01a71e6c78075f7352  xsa453/xsa453-4.18-1.patch
7960863a4917ae994a20c5dcd93f080b328749ef24108a5ec436b4a32ff12f07  xsa453/xsa453-4.18-2.patch
57306cbd89f4dc6c65ad89f3a7fedf3b84ebd28f423b54de8a18d8bc247bfbc5  xsa453/xsa453-4.18-3.patch
6280c40626e8d190e4c7216d7574be2bcf5a8143509640a6241706c21fdc3336  xsa453/xsa453-4.18-4.patch
cc9206b7bde3748b3ac58c338f1b233aae25be91fa1a56442e54030037188509  xsa453/xsa453-4.18-5.patch
12ddaedad54794bf7f64b4954e167dca92bfa53a658f3eeec9bd93ce282eee65  xsa453/xsa453-4.18-6.patch
86d1972ca5a01167d4f8da28256e2183227e7d1d0e5245dc85521b260299c64e  xsa453/xsa453-4.18-7.patch
0feec9819a74ab61664e31fff1a0df4b1fe4145fd62fcd5ca7dfc6566f9f938c  xsa453/xsa453-4.patch
9c22f02fe450fc5a05121040f8137b2755c2d196b0a777643587a166ab29a5e6  xsa453/xsa453-5.patch
ef4312c837f6e295796c1bc9a70f5ae27ac846e7149694c9c1f13b10e2b92945  xsa453/xsa453-6.patch
e7b8750f00c9d2018b4c43cceaf931837ea84ee2a8bf40aaf694e1f2f13c7ef1  xsa453/xsa453-7.patch
$

NOTE ABOUT IPI LIVELOCK
=======================

A observation from the GhostRace paper, unrelated to speculation, is the
ability of userspace to livelock the kernel with IPIs.  While the
GhostRace paper is specific to Linux, similar primitives exist for guest
kernels.

However, after analysis and experimentation, The Xen Security Team are
not aware of a way for a guest kernel to mount a similar attack against
Xen.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmXwhb8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZWrEH/jb7eEkcdFGvVFvuBbU4dNrEx61eql7LdHjbvLg+
8PkdhjRafl3h766tqilbZiF+ZhM/HmV3i+5t7x6+HhsO59eMuWLghVC1woy0H6VI
QSVAio918183Z7HogcSBw1Z1dFup7rTX3aX9hi/TLARN0VY1mxH3hmxJ7iNYsBHw
mLjgcRXj+aM7iRmIMveWAJD39UU9KVV4F2jDaJl+ay2vH5dwrtlKMdI7Yv9lY45P
USAZxWQJ35ifpZtVTN6C38LzkHPJRvpZib7K+DnfIAaZIwWr10ZSjS+LxK+UMaYJ
fejYte+ki40uS0E7AhlesBSQb7C6qDM8GJbMtwj6en5LN14=
=V/0y
-----END PGP SIGNATURE-----

Download attachment "xsa453/xsa453-1.patch" of type "application/octet-stream" (1665 bytes)

Download attachment "xsa453/xsa453-2.patch" of type "application/octet-stream" (12356 bytes)

Download attachment "xsa453/xsa453-3.patch" of type "application/octet-stream" (4006 bytes)

Download attachment "xsa453/xsa453-4.15-1.patch" of type "application/octet-stream" (6193 bytes)

Download attachment "xsa453/xsa453-4.15-2.patch" of type "application/octet-stream" (1732 bytes)

Download attachment "xsa453/xsa453-4.15-3.patch" of type "application/octet-stream" (12265 bytes)

Download attachment "xsa453/xsa453-4.15-4.patch" of type "application/octet-stream" (4069 bytes)

Download attachment "xsa453/xsa453-4.15-5.patch" of type "application/octet-stream" (3362 bytes)

Download attachment "xsa453/xsa453-4.15-6.patch" of type "application/octet-stream" (15096 bytes)

Download attachment "xsa453/xsa453-4.15-7.patch" of type "application/octet-stream" (2209 bytes)

Download attachment "xsa453/xsa453-4.15-8.patch" of type "application/octet-stream" (7970 bytes)

Download attachment "xsa453/xsa453-4.16-1.patch" of type "application/octet-stream" (6113 bytes)

Download attachment "xsa453/xsa453-4.16-2.patch" of type "application/octet-stream" (1732 bytes)

Download attachment "xsa453/xsa453-4.16-3.patch" of type "application/octet-stream" (12285 bytes)

Download attachment "xsa453/xsa453-4.16-4.patch" of type "application/octet-stream" (4069 bytes)

Download attachment "xsa453/xsa453-4.16-5.patch" of type "application/octet-stream" (3362 bytes)

Download attachment "xsa453/xsa453-4.16-6.patch" of type "application/octet-stream" (15093 bytes)

Download attachment "xsa453/xsa453-4.16-7.patch" of type "application/octet-stream" (2209 bytes)

Download attachment "xsa453/xsa453-4.16-8.patch" of type "application/octet-stream" (7815 bytes)

Download attachment "xsa453/xsa453-4.17-1.patch" of type "application/octet-stream" (6239 bytes)

Download attachment "xsa453/xsa453-4.17-2.patch" of type "application/octet-stream" (1732 bytes)

Download attachment "xsa453/xsa453-4.17-3.patch" of type "application/octet-stream" (12350 bytes)

Download attachment "xsa453/xsa453-4.17-4.patch" of type "application/octet-stream" (4069 bytes)

Download attachment "xsa453/xsa453-4.17-5.patch" of type "application/octet-stream" (3362 bytes)

Download attachment "xsa453/xsa453-4.17-6.patch" of type "application/octet-stream" (15128 bytes)

Download attachment "xsa453/xsa453-4.17-7.patch" of type "application/octet-stream" (2229 bytes)

Download attachment "xsa453/xsa453-4.17-8.patch" of type "application/octet-stream" (7807 bytes)

Download attachment "xsa453/xsa453-4.18-1.patch" of type "application/octet-stream" (1733 bytes)

Download attachment "xsa453/xsa453-4.18-2.patch" of type "application/octet-stream" (12324 bytes)

Download attachment "xsa453/xsa453-4.18-3.patch" of type "application/octet-stream" (4075 bytes)

Download attachment "xsa453/xsa453-4.18-4.patch" of type "application/octet-stream" (3362 bytes)

Download attachment "xsa453/xsa453-4.18-5.patch" of type "application/octet-stream" (15130 bytes)

Download attachment "xsa453/xsa453-4.18-6.patch" of type "application/octet-stream" (2229 bytes)

Download attachment "xsa453/xsa453-4.18-7.patch" of type "application/octet-stream" (7807 bytes)

Download attachment "xsa453/xsa453-4.patch" of type "application/octet-stream" (3293 bytes)

Download attachment "xsa453/xsa453-5.patch" of type "application/octet-stream" (15053 bytes)

Download attachment "xsa453/xsa453-6.patch" of type "application/octet-stream" (2160 bytes)

Download attachment "xsa453/xsa453-7.patch" of type "application/octet-stream" (7738 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.