Information

Advisory XSA-407
Public release 2022-07-12 16:35
Updated 2022-07-12 16:35
Version 1
CVE(s) CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
Title Retbleed - arbitrary speculative code execution with return instructions

Files

advisory-407.txt (signed advisory file)
xsa407.meta
xsa407/xsa407-1.patch
xsa407/xsa407-2.patch
xsa407/xsa407-3.patch
xsa407/xsa407-4.13-01.patch
xsa407/xsa407-4.13-02.patch
xsa407/xsa407-4.13-03.patch
xsa407/xsa407-4.13-04.patch
xsa407/xsa407-4.13-05.patch
xsa407/xsa407-4.13-06.patch
xsa407/xsa407-4.13-07.patch
xsa407/xsa407-4.13-08.patch
xsa407/xsa407-4.13-09.patch
xsa407/xsa407-4.13-10.patch
xsa407/xsa407-4.13-11.patch
xsa407/xsa407-4.13-12.patch
xsa407/xsa407-4.13-13.patch
xsa407/xsa407-4.13-14.patch
xsa407/xsa407-4.13-15.patch
xsa407/xsa407-4.13-16.patch
xsa407/xsa407-4.13-17.patch
xsa407/xsa407-4.13-18.patch
xsa407/xsa407-4.13-19.patch
xsa407/xsa407-4.13-20.patch
xsa407/xsa407-4.13-21.patch
xsa407/xsa407-4.14-01.patch
xsa407/xsa407-4.14-02.patch
xsa407/xsa407-4.14-03.patch
xsa407/xsa407-4.14-04.patch
xsa407/xsa407-4.14-05.patch
xsa407/xsa407-4.14-06.patch
xsa407/xsa407-4.14-07.patch
xsa407/xsa407-4.14-08.patch
xsa407/xsa407-4.14-09.patch
xsa407/xsa407-4.14-10.patch
xsa407/xsa407-4.14-11.patch
xsa407/xsa407-4.14-12.patch
xsa407/xsa407-4.15-1.patch
xsa407/xsa407-4.15-2.patch
xsa407/xsa407-4.15-3.patch
xsa407/xsa407-4.15-4.patch
xsa407/xsa407-4.15-5.patch
xsa407/xsa407-4.15-6.patch
xsa407/xsa407-4.15-7.patch
xsa407/xsa407-4.15-8.patch
xsa407/xsa407-4.16-1.patch
xsa407/xsa407-4.16-2.patch
xsa407/xsa407-4.16-3.patch
xsa407/xsa407-4.16-4.patch
xsa407/xsa407-4.16-5.patch
xsa407/xsa407-4.16-6.patch
xsa407/xsa407-4.16-7.patch
xsa407/xsa407-4.16-8.patch
xsa407/xsa407-4.patch
xsa407/xsa407-5.patch
xsa407/xsa407-6.patch
xsa407/xsa407-7.patch
xsa407/xsa407-8.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407

   Retbleed - arbitrary speculative code execution with return instructions

ISSUE DESCRIPTION
=================

Researchers at ETH Zurich have discovered Retbleed, allowing for
arbitrary speculative execution in a victim context.

For more details, see:
  https://comsec.ethz.ch/retbleed

ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
Intel.

Despite the similar preconditions, these are very different
microarchitectural behaviours between vendors.

On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion).

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

On Intel CPUs, Retbleed is not a new vulnerability; it is only
applicable to software which did not follow Intel's original Spectre-v2
guidance.  Intel are using the ETH Zurich allocated CVE-2022-29901.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

ARM have indicated existing guidance on Spectre-v2 is sufficient.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Whether a CPU is potentially vulnerable depends on its
microarchitecture.  Consult your hardware vendor.

For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults
in XSA-254 and follow-on fixes.  Therefore, the Xen Security Team
believes there are no further changes necessary on these CPUs.
Administrators who deviated from the default mitigations are potentially
affected and should re-evaluate their threat model.

For AMD, CPUs from the Zen2 microarchitecture and earlier are
potentially vulnerable.  Zen3 and later CPUs are not believed to be
vulnerable.

The patches for Xen implement the IBPB-at-entry mitigation.  This
depends on the IBPB microcode distributed by AMD in 2018 as part of the
original Spectre/Meltdown work.  Consult your dom0 OS vendor.

In addition to IBPB, "cross thread" safety is necessary.  On Zen2 CPUs,
Xen uses STIBP by default.  On Zen1 CPUs, SMT needs disabling either in
the firmware, or by passing `smt=0` on Xen's command line.  On Fam15h
CPUs, Cluster Multi-Threading needs disabling in firmware.

Due to performance concerns, dom0 is excluded from IBPB-on-entry
protections by default.  This is because PV dom0 is trusted in most
deployments.  If your threat model model doesn't allow for dom0 to be
treated specially, boot with `spec-ctrl=ibpb-entry` which will cause
IBPB-on-entry protections to be applied to dom0 too.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

For the 4.15 and 4.16 branches in particular, these patches depend on:

 - x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with legacy IBRS
 - x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint
 - xen/cmdline: Extend parse_boolean() to signal a name match
 - x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives

which have been recently backported.

xsa407/xsa407-?.patch           xen-unstable
xsa407/xsa407-4.16-*.patch      Xen 4.16.x
xsa407/xsa407-4.15-*.patch      Xen 4.15.x
xsa407/xsa407-4.14-*.patch      Xen 4.14.x
xsa407/xsa407-4.13-*.patch      Xen 4.13.x

$ sha256sum xsa407* xsa407*/*
0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1  xsa407.meta
8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc  xsa407/xsa407-1.patch
5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f  xsa407/xsa407-2.patch
1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013  xsa407/xsa407-3.patch
8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e  xsa407/xsa407-4.13-01.patch
fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946  xsa407/xsa407-4.13-02.patch
9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27  xsa407/xsa407-4.13-03.patch
1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd  xsa407/xsa407-4.13-04.patch
016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008  xsa407/xsa407-4.13-05.patch
cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a  xsa407/xsa407-4.13-06.patch
46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93  xsa407/xsa407-4.13-07.patch
cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a  xsa407/xsa407-4.13-08.patch
55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc  xsa407/xsa407-4.13-09.patch
f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f  xsa407/xsa407-4.13-10.patch
aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191  xsa407/xsa407-4.13-11.patch
e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf  xsa407/xsa407-4.13-12.patch
59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927  xsa407/xsa407-4.13-13.patch
ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0  xsa407/xsa407-4.13-14.patch
d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1  xsa407/xsa407-4.13-15.patch
af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f  xsa407/xsa407-4.13-16.patch
8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501  xsa407/xsa407-4.13-17.patch
1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9  xsa407/xsa407-4.13-18.patch
a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde  xsa407/xsa407-4.13-19.patch
cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a  xsa407/xsa407-4.13-20.patch
0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c  xsa407/xsa407-4.13-21.patch
fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4  xsa407/xsa407-4.14-01.patch
e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2  xsa407/xsa407-4.14-02.patch
69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf  xsa407/xsa407-4.14-03.patch
47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759  xsa407/xsa407-4.14-04.patch
14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8  xsa407/xsa407-4.14-05.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.14-06.patch
85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a  xsa407/xsa407-4.14-07.patch
0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82  xsa407/xsa407-4.14-08.patch
1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd  xsa407/xsa407-4.14-09.patch
4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d  xsa407/xsa407-4.14-10.patch
074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55  xsa407/xsa407-4.14-11.patch
e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949  xsa407/xsa407-4.14-12.patch
61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a  xsa407/xsa407-4.15-1.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.15-2.patch
03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511  xsa407/xsa407-4.15-3.patch
ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600  xsa407/xsa407-4.15-4.patch
aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a  xsa407/xsa407-4.15-5.patch
55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64  xsa407/xsa407-4.15-6.patch
a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17  xsa407/xsa407-4.15-7.patch
ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab  xsa407/xsa407-4.15-8.patch
3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe  xsa407/xsa407-4.16-1.patch
b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522  xsa407/xsa407-4.16-2.patch
825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76  xsa407/xsa407-4.16-3.patch
402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860  xsa407/xsa407-4.16-4.patch
ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf  xsa407/xsa407-4.16-5.patch
4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e  xsa407/xsa407-4.16-6.patch
1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7  xsa407/xsa407-4.16-7.patch
d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de  xsa407/xsa407-4.16-8.patch
c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c  xsa407/xsa407-4.patch
eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4  xsa407/xsa407-5.patch
aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72  xsa407/xsa407-6.patch
cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6  xsa407/xsa407-7.patch
cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3  xsa407/xsa407-8.patch
$

NOTE CONCERNING LACK OF EMBARGO
===============================

The disclosers did not authorise us to predisclose.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx
Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i
WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL
nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1
87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl
XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc=
=CEa6
-----END PGP SIGNATURE-----

Xenproject.org Security Team