|
Message-Id: <E1rew95-0004EA-2k@xenbits.xenproject.org> Date: Tue, 27 Feb 2024 12:01:15 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 451 v2 (CVE-2023-46841) - x86: shadow stack vs exceptions from emulation stubs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-46841 / XSA-451 version 2 x86: shadow stack vs exceptions from emulation stubs UPDATES IN VERSION 2 ==================== Largely cosmetic adjustment in patches. Public release. ISSUE DESCRIPTION ================= Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. IMPACT ====== An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. VULNERABLE SYSTEMS ================== Xen 4.14 and onwards are vulnerable. Xen 4.13 and older are not vulnerable. Only x86 systems with CET-SS enabled are vulnerable. x86 systems with CET-SS unavailable or disabled are not vulnerable. Arm systems are not vulnerable. See https://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active for how to determine whether CET-SS is active. Only HVM or PVH guests can leverage the vulnerability. PV guests cannot leverage the vulnerability. MITIGATION ========== While in principle it is possible to disable use of CET on capable systems using the "cet=no-shstk" command line option, doing so disables an important security feature and may therefore not be advisable. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate (set of) attached patch(es) resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa451-?.patch xen-unstable xsa451-4.18.patch Xen 4.18.x xsa451-4.17.patch Xen 4.17.x xsa451-4.16.patch Xen 4.16.x xsa451-4.15.patch Xen 4.15.x $ sha256sum xsa451* 446178a9a37646e62622988efffa3d1ffa0b579fc089ab79138507acfd3440c0 xsa451-1.patch 614ab6925ea60f36212f0cd01929f3a97161de1828040770792e146c170bfea2 xsa451-2.patch ad529273d7dc97bff239f1727a9702eb24d41b723d2a3077a1fecc4684900f91 xsa451-3.patch 2c68480657220cfab92fe9821ce201ff7c9e0b541619a1add541f3d66fa13e9d xsa451-4.15.patch fa8ab72e61fae0130fb81b0a7ce508fdb3bcb3c800b0ab7684aa6595cbad88ea xsa451-4.16.patch e41cab6471586a5f50e10eb26895fec624cc6d8fd3b4ff71495466df8aaa19e5 xsa451-4.17.patch d6b76a8db6c80c0684fc94becc2e23091c8f1dcbebc726438dbb1a6cde543335 xsa451-4.18.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmXdu4UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZApoIAMmKsIAqbt/QlUZFUXYx+DAW20Bl7DUGjJlFv6kx pBDSxW3a2evYo+CTTapVeRfosI+/kI61pcyFd19EGdthVcgufPQOC7yVxmu8j7Wi s6lb/h0b6vKFOUubKN+EtaVRR34acqmQwSq668AjcyL8M5xIdWfYDpKHVft29x8i QwKdKnvsWwaFrUathVTlspqcHLkNWf7+nsTVapMG2O15UrqYdJPErhL/Bh+iwSih exc/fRFyQuqFL7qHnvPXz+AhajjHmDO+1Z3OCir9MleyZ3JJvIq6Vnje75+DFHeT n9kFt29LJMvRzlDzIdfUy9R98h0r3WIQBaicFO2pBKlp6i8= =JJb5 -----END PGP SIGNATURE----- Download attachment "xsa451-1.patch" of type "application/octet-stream" (1478 bytes) Download attachment "xsa451-2.patch" of type "application/octet-stream" (7331 bytes) Download attachment "xsa451-3.patch" of type "application/octet-stream" (2045 bytes) Download attachment "xsa451-4.15.patch" of type "application/octet-stream" (7515 bytes) Download attachment "xsa451-4.16.patch" of type "application/octet-stream" (7505 bytes) Download attachment "xsa451-4.17.patch" of type "application/octet-stream" (7516 bytes) Download attachment "xsa451-4.18.patch" of type "application/octet-stream" (7278 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.