|
Message-Id: <E1rk5a7-0008Qz-OY@xenbits.xenproject.org> Date: Tue, 12 Mar 2024 17:06:27 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 453 v1 (CVE-2024-2193) - GhostRace: Speculative Race Conditions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2024-2193 / XSA-453 GhostRace: Speculative Race Conditions ISSUE DESCRIPTION ================= Researchers at VU Amsterdam and IBM Research have discovered GhostRace; an analysis of the behaviour of synchronisation primitives under speculative execution. Synchronisation primitives are typically formed as an unbounded loop which waits until a resource is available to be accessed. This means there is a conditional branch which can be microarchitecturally bypassed using Spectre-v1 techniques, allowing an attacker to speculatively execute critical regions. Therefore, while a critical region might be safe architecturally, it can still suffer from data races under speculation with unsafe consequences. The GhostRace paper focuses on Speculative Concurrent Use-After-Free issues, but notes that there are many other types of speculative data hazard to be explored. For more details, see: https://vusec.net/projects/ghostrace IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. GhostRace is a variation of Spectre-v1, and Spectre-v1 is known to affect a wide range of CPU architectures and designs. Consult your hardware vendor. However, Xen does not have any known gadgets vulnerable to GhostRace at the time of writing. Furthermore, even with the vulnerable instance found in Linux, the researchers had to insert an artificial syscall to make the instance more accessible to a userspace attacker. Therefore, The Xen Security Team does not believe that immediate action is required. MITIGATION ========== There are no mitigations. RESOLUTION ========== Out of caution, the Xen Security Team have provided hardening patches including the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN. LOCK_HARDEN is off by default, owing to the uncertainty of there being a vulnerability under Xen, and uncertainty over the performance impact. However, we expect more research to happen in this area, and feel it is prudent to have a mitigation in place. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa453/xsa453-?.patch xen-unstable xsa453/xsa453-4.18-?.patch Xen 4.18.x xsa453/xsa453-4.17-?.patch Xen 4.17.x xsa453/xsa453-4.16-?.patch Xen 4.16.x xsa453/xsa453-4.15-?.patch Xen 4.15.x $ sha256sum xsa453*/* 5487c6595b114187191e09bc5d7510d228a018ca98bc43ef58f8225fbd843636 xsa453/xsa453-1.patch 1d4ae5ce07f6869dbc20342289d8a00937868014b1c8a69054815cce7a836761 xsa453/xsa453-2.patch a873074149a74ce1f6252cdaa20e5432930f77caf59cf328ce6c2e0b000e1f3b xsa453/xsa453-3.patch 12b3e60005f50df1b7050984f0b7545eadc5e99425dae3b4d186c67a4caaeee4 xsa453/xsa453-4.15-1.patch 0b242be1d3fa0c4bcbb3e7755c0267ec6d307c75eec2e7348d8405017af0ab06 xsa453/xsa453-4.15-2.patch 2d17d1586e4b20a5c7677c3ab4553971251c123570c05d1adfede671f5e1d501 xsa453/xsa453-4.15-3.patch 8d209d1c9d3585bd190f9c97d866ff30ef18514ebf874869e5881b5856d3b81e xsa453/xsa453-4.15-4.patch 350dbcb1f22874f5545936c307a69ae8acd8eef5f24dfccfe2ba2d1e8997c14d xsa453/xsa453-4.15-5.patch 334fe9512a90c84210a010d9aff82b96eac00d9beb8291a243339e5ca9fb69c2 xsa453/xsa453-4.15-6.patch bc3781df298eba4b306b742a8b06869eb83c5619a4dd3ae0ddd746a96708e3ea xsa453/xsa453-4.15-7.patch b8f0798863f70c65b20809f6749ef17e098f74e944386a7c8199396a7aab7295 xsa453/xsa453-4.15-8.patch 85c66b0f6fad0df2a705a48f75506142cacdf39bab1b68bb22ce4924d3ddae1c xsa453/xsa453-4.16-1.patch 35416e86df8b55e0d165edef33557d3232c6c7b56ea36fb12278242134279fae xsa453/xsa453-4.16-2.patch 1f6f09b860d7dc4add0356dd544d85faab6750a5dc72d15438e77322498c0d39 xsa453/xsa453-4.16-3.patch 8d209d1c9d3585bd190f9c97d866ff30ef18514ebf874869e5881b5856d3b81e xsa453/xsa453-4.16-4.patch 350dbcb1f22874f5545936c307a69ae8acd8eef5f24dfccfe2ba2d1e8997c14d xsa453/xsa453-4.16-5.patch f03fba4192ec375220557c6488986c4bb0acb130fcdc61c0a3fe7bb48ffeaf98 xsa453/xsa453-4.16-6.patch 702330fe49015e174fac88cc290cc4ba78af97cc27ca6ac6d612a7f3de264ca1 xsa453/xsa453-4.16-7.patch cc25536abac03b92a3486df8db4a89aecb8447aa1d31870def4ebf90782017df xsa453/xsa453-4.16-8.patch 9b0e67756cb0f98721f748f76b767da88cad22969bf32052f9171e0260c8c596 xsa453/xsa453-4.17-1.patch 1cde6cae3738a380d35b769d44344d8e92585d9f4f8bccff1cae933b3d7dd5c8 xsa453/xsa453-4.17-2.patch dbd117b3482ff24b146ee4936a691ed796ae073abd1c66db5cb5b5ede04c82ea xsa453/xsa453-4.17-3.patch 00f78778eb392aeda13803bb321d255335fea27abd3beb8fcc70a49ce81fcb3c xsa453/xsa453-4.17-4.patch 9bad3d96b74ceb9ce6232d4b4e434f7a023ad6ed31f6ff074869e037f6b296c6 xsa453/xsa453-4.17-5.patch d62b1014347fcb7b6575fe0a1145b358719154655afd007a36739f6fe10cb4d6 xsa453/xsa453-4.17-6.patch ba6597f3bf859ae38eef675e3540fc8f79dd2a672486c0fbe31a5740cafeffcd xsa453/xsa453-4.17-7.patch eb92c317c367689e401d20ce9ff2e5e5b5c551bc8f36424012ccc71c3df240e3 xsa453/xsa453-4.17-8.patch 70334588834939d8e06f0ec3edec2f0e10c1fc5af11aac01a71e6c78075f7352 xsa453/xsa453-4.18-1.patch 7960863a4917ae994a20c5dcd93f080b328749ef24108a5ec436b4a32ff12f07 xsa453/xsa453-4.18-2.patch 57306cbd89f4dc6c65ad89f3a7fedf3b84ebd28f423b54de8a18d8bc247bfbc5 xsa453/xsa453-4.18-3.patch 6280c40626e8d190e4c7216d7574be2bcf5a8143509640a6241706c21fdc3336 xsa453/xsa453-4.18-4.patch cc9206b7bde3748b3ac58c338f1b233aae25be91fa1a56442e54030037188509 xsa453/xsa453-4.18-5.patch 12ddaedad54794bf7f64b4954e167dca92bfa53a658f3eeec9bd93ce282eee65 xsa453/xsa453-4.18-6.patch 86d1972ca5a01167d4f8da28256e2183227e7d1d0e5245dc85521b260299c64e xsa453/xsa453-4.18-7.patch 0feec9819a74ab61664e31fff1a0df4b1fe4145fd62fcd5ca7dfc6566f9f938c xsa453/xsa453-4.patch 9c22f02fe450fc5a05121040f8137b2755c2d196b0a777643587a166ab29a5e6 xsa453/xsa453-5.patch ef4312c837f6e295796c1bc9a70f5ae27ac846e7149694c9c1f13b10e2b92945 xsa453/xsa453-6.patch e7b8750f00c9d2018b4c43cceaf931837ea84ee2a8bf40aaf694e1f2f13c7ef1 xsa453/xsa453-7.patch $ NOTE ABOUT IPI LIVELOCK ======================= A observation from the GhostRace paper, unrelated to speculation, is the ability of userspace to livelock the kernel with IPIs. While the GhostRace paper is specific to Linux, similar primitives exist for guest kernels. However, after analysis and experimentation, The Xen Security Team are not aware of a way for a guest kernel to mount a similar attack against Xen. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmXwhb8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZWrEH/jb7eEkcdFGvVFvuBbU4dNrEx61eql7LdHjbvLg+ 8PkdhjRafl3h766tqilbZiF+ZhM/HmV3i+5t7x6+HhsO59eMuWLghVC1woy0H6VI QSVAio918183Z7HogcSBw1Z1dFup7rTX3aX9hi/TLARN0VY1mxH3hmxJ7iNYsBHw mLjgcRXj+aM7iRmIMveWAJD39UU9KVV4F2jDaJl+ay2vH5dwrtlKMdI7Yv9lY45P USAZxWQJ35ifpZtVTN6C38LzkHPJRvpZib7K+DnfIAaZIwWr10ZSjS+LxK+UMaYJ fejYte+ki40uS0E7AhlesBSQb7C6qDM8GJbMtwj6en5LN14= =V/0y -----END PGP SIGNATURE----- Download attachment "xsa453/xsa453-1.patch" of type "application/octet-stream" (1665 bytes) Download attachment "xsa453/xsa453-2.patch" of type "application/octet-stream" (12356 bytes) Download attachment "xsa453/xsa453-3.patch" of type "application/octet-stream" (4006 bytes) Download attachment "xsa453/xsa453-4.15-1.patch" of type "application/octet-stream" (6193 bytes) Download attachment "xsa453/xsa453-4.15-2.patch" of type "application/octet-stream" (1732 bytes) Download attachment "xsa453/xsa453-4.15-3.patch" of type "application/octet-stream" (12265 bytes) Download attachment "xsa453/xsa453-4.15-4.patch" of type "application/octet-stream" (4069 bytes) Download attachment "xsa453/xsa453-4.15-5.patch" of type "application/octet-stream" (3362 bytes) Download attachment "xsa453/xsa453-4.15-6.patch" of type "application/octet-stream" (15096 bytes) Download attachment "xsa453/xsa453-4.15-7.patch" of type "application/octet-stream" (2209 bytes) Download attachment "xsa453/xsa453-4.15-8.patch" of type "application/octet-stream" (7970 bytes) Download attachment "xsa453/xsa453-4.16-1.patch" of type "application/octet-stream" (6113 bytes) Download attachment "xsa453/xsa453-4.16-2.patch" of type "application/octet-stream" (1732 bytes) Download attachment "xsa453/xsa453-4.16-3.patch" of type "application/octet-stream" (12285 bytes) Download attachment "xsa453/xsa453-4.16-4.patch" of type "application/octet-stream" (4069 bytes) Download attachment "xsa453/xsa453-4.16-5.patch" of type "application/octet-stream" (3362 bytes) Download attachment "xsa453/xsa453-4.16-6.patch" of type "application/octet-stream" (15093 bytes) Download attachment "xsa453/xsa453-4.16-7.patch" of type "application/octet-stream" (2209 bytes) Download attachment "xsa453/xsa453-4.16-8.patch" of type "application/octet-stream" (7815 bytes) Download attachment "xsa453/xsa453-4.17-1.patch" of type "application/octet-stream" (6239 bytes) Download attachment "xsa453/xsa453-4.17-2.patch" of type "application/octet-stream" (1732 bytes) Download attachment "xsa453/xsa453-4.17-3.patch" of type "application/octet-stream" (12350 bytes) Download attachment "xsa453/xsa453-4.17-4.patch" of type "application/octet-stream" (4069 bytes) Download attachment "xsa453/xsa453-4.17-5.patch" of type "application/octet-stream" (3362 bytes) Download attachment "xsa453/xsa453-4.17-6.patch" of type "application/octet-stream" (15128 bytes) Download attachment "xsa453/xsa453-4.17-7.patch" of type "application/octet-stream" (2229 bytes) Download attachment "xsa453/xsa453-4.17-8.patch" of type "application/octet-stream" (7807 bytes) Download attachment "xsa453/xsa453-4.18-1.patch" of type "application/octet-stream" (1733 bytes) Download attachment "xsa453/xsa453-4.18-2.patch" of type "application/octet-stream" (12324 bytes) Download attachment "xsa453/xsa453-4.18-3.patch" of type "application/octet-stream" (4075 bytes) Download attachment "xsa453/xsa453-4.18-4.patch" of type "application/octet-stream" (3362 bytes) Download attachment "xsa453/xsa453-4.18-5.patch" of type "application/octet-stream" (15130 bytes) Download attachment "xsa453/xsa453-4.18-6.patch" of type "application/octet-stream" (2229 bytes) Download attachment "xsa453/xsa453-4.18-7.patch" of type "application/octet-stream" (7807 bytes) Download attachment "xsa453/xsa453-4.patch" of type "application/octet-stream" (3293 bytes) Download attachment "xsa453/xsa453-5.patch" of type "application/octet-stream" (15053 bytes) Download attachment "xsa453/xsa453-6.patch" of type "application/octet-stream" (2160 bytes) Download attachment "xsa453/xsa453-7.patch" of type "application/octet-stream" (7738 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.