|
Message-Id: <E1ruEpb-0000jN-81@xenbits.xenproject.org> Date: Tue, 09 Apr 2024 17:00:23 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 455 v4 (CVE-2024-31142) - x86: Incorrect logic for BTC/SRSO mitigations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2024-31142 / XSA-455 version 4 x86: Incorrect logic for BTC/SRSO mitigations UPDATES IN VERSION 4 ==================== Public release. Correct references to prior XSAs. The XSA fixing Branch Type Confusion was XSA-407, not XSA-422 as previously stated. ISSUE DESCRIPTION ================= Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html IMPACT ====== XSAs 407 and 434 are unmitigated, even when the patches are in place. VULNERABLE SYSTEMS ================== All versions of Xen containing the XSA-407 fixes are vulnerable. See XSAs 407 and 434 for details on which hardware is susceptible to BTC/SRSO. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that the Xen Security Team is intending to produce releases on all stable trees, on the public embargo. Therefore, this fix is expected to be contained in the following release tags: RELEASE-4.18.2 RELEASE-4.17.4 RELEASE-4.16.6 RELEASE-4.15.6 Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa455.patch xen-unstable - Xen 4.17.x xsa455-4.16.patch Xen 4.16.x - Xen 4.15.x $ sha256sum xsa455* 96bcfcc0ce1afcc54f637c728ab5250c65f0a5a1d8ccfc59ac5d496baf1a53a4 xsa455.patch 02e3fe13ac68f665534fabae1520254d5d1832fef7c95fceb190be3b9944a5e1 xsa455-4.16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmYVbQcMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZsY4IAJnYJTEEzhdG9+Qy/gcgwiKFB6lA5D6hQ1kAD739 fOh4GyA0ZYRLpfw8J4sVgYmPKl+S0Rx1qdt9X2GHVNIq5FqtFytx3lQt1VF4BTW6 kRHqqccHLKIo0MCRcNBw9wtn5BSQXpmJO9jpsazrBwxMPZpf2Z4mQhMO0aRxq2k7 Oyxz2O1ElNXzItuXM4ZT4OSR2pISjLC5mhKcauH3m/ecAbUwqEf6CjpvLXt7iI/0 OUqnZ7gO4m8fPoIaA0iT51o5Pb/EXTLnvyIrnlOL5C+xyNB8pQETP+cJZSnYYYWX eNwQ+LwEgSHptPP09cbNFOnf+r1eJR22haPL2sMPveGbKRY= =LR1k -----END PGP SIGNATURE----- Download attachment "xsa455.patch" of type "application/octet-stream" (1631 bytes) Download attachment "xsa455-4.16.patch" of type "application/octet-stream" (1613 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.