Xen Test Framework
XSA-444

Advisory: XSA-444

This is for CVE-2023-34328 only.

Xen has a per-domain mapping area, containing the live GDT/LDTs. On Xen 4.13 and earlier, the Compat Translate Area (XLAT) is adjacent to the GDT/LDTs.

The XLAT area isn't used by 64bit PV guests, but it is present in the memory map, which is common to all guest types. The XLAT area is used by 32bit PV guests, but they can't set a breakpoint address above 4G, and therefore can't mount the attack.

Prior to the XSA-444 fix, Xen allowed PV guests to place breakpoints on the XLAT area. Combined with the AMD DBEXT extension, a breakpoint in the XLAT area can be widened to cover the live GDT too.

This results in one of two behaviours, both of which are fatal to Xen.

  • On AMD Zen2 and older, Xen suffers XSA-156 / CVE-2015-8104.
  • On AMD Zen3 and later, with the NoNestedDataBp hardware fix for CVE-2015-8104, things are more complicated.
    • Any IRET (which reads the GDT for cs and ss) will queue a new #DB, which will be delivered in the interrupted context, prior to decoding the subsequent instruction.
    • The delivery of #DB won't trigger another #DB because of the hardware fix. Xen's debug handler runs normally.
    • If the interrupted context was guest context, the #DB is forwarded to the guest kernel. For a 64bit PV guest kernel, this always uses the SYSRET path out of Xen, and does not trigger a new #DB.
    • A 64bit PV guest kernel leaving it's #DB handler uses HYPERCALL_iret in IRET mode rather than SYSRET mode. This transfers up into Xen via SYSCALL (no GDT reads), and leaves Xen via IRET, triggering a new #DB and livelocking the guest taking #DB's on same instruction boundary.
    • Any IDT delivery which isn't #DB triggers a new #DB, causing Xen's debug handler to observe a #DB pointing at the ENDBR instruction of the relevant vector. The return from the debug handler is to Xen context, and therefore by IRET, which livelocks.
    • Because of the priority of INTR/NMI in the instruction cycle, they take priority over pending breakpoints. Therefore over time and dependent on external stimuli, Xen accumulates IRQS-off, blocked-by-NMI, and an increasing APIC Priority while still in its livelocked state.
See also
tests/xsa-444/main.c
Generated by doxygen 1.9.4