Information

Advisory XSA-289
Public release 2019-01-21 12:00
Updated 2019-01-21 17:32
Version 3
CVE(s) none (yet) assigned
Title Cache-load gadgets exploitable with L1TF

Files

advisory-289.txt (signed advisory file)
xsa289/0000-Cover-Letter.txt
xsa289/0001-lfence-add-function-that-returns-int.patch
xsa289/0002-is_hvm-pv_domain-block-speculation.patch
xsa289/0003-is_control_domain-block-speculation.patch
xsa289/0004-x86-hvm-block-speculative-accesses.patch
xsa289/0005-nospec-introduce-method-for-static-arrays.patch
xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch
xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch
xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch
xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch
xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch
xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch
xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch
xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch
xsa289/detect-spectre-candidates.sh
xsa289/sorted-gadgets.txt

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-289
                              version 3

               Cache-load gadgets exploitable with L1TF

UPDATES IN VERSION 3
====================

Rewrite text for technical accuracy.  Previous references to Spectre v1
gadgets were not correct.  In particular, the Xen Security Team is still
unaware of any Spectre v1 gadgets in Xen.

State that x86 PV guests cannot exploit the vulnerability.

Mention use of xen-hptool, and xl global affinity masks, as possible
mitigation approaches.

ISSUE DESCRIPTION
=================

Previously reported vulnerabilities CVE-2017-5753 / XSA-254 (Spectre V1)
and CVE-2018-3646 / XSA-273 (L1TF) can, when combined, be leveraged to
more easily gather leaked information.

A Spectre v1 gadget is a speculation sequence which starts with a
conditional branch, contains a memory load who's address is
attacker-influenced, and a second action dependent on the content of the
first memory load, which opens a sidechannel with the attacker.

These gadgets are rare in code, and so far, none have been discovered in
Xen.  However, the first half of this gadget (i.e. to the first memory
load) is a very common sequence to find in compiled C, and forms an
arbitrary cache-load gadget.

An attacker can combine cache-load gadgets like this to bring data into
the cache on on hyperthread of a given CPU core, while L1TF is used on
another hyperthread to read the cached data.

A number of specific exploitable gadgets have been identified.

There are no new vulnerabilities.  There is only new information about
existing vulnerabilities: specifically, confirmation that existing,
previously disclosed, vulnerabilities, can be exploited in specific
ways.  (Previously, it was merely expected, and stated in XSA-254 and
XSA-273, that such the vulnerabilities would be exploitable.)

IMPACT
======

An attacker can potentially read arbitrary host RAM.  This includes data
belonging to Xen, data belonging to other guests, and data belonging to
different security contexts within the same guest.

An attacker could be a guest kernel (which can manipulate the pagetables
directly), or could be guest userspace either directly (e.g. with
mprotect() or similar system call) or indirectly (by gaming the guest
kernel's paging subsystem).

See XSA-254 and XSA-273 for more general information about the
underlying vulnerabilities.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only x86 processors are vulnerable.  ARM processors are not known to be
affected.

Only systems with Symmetric Multi Threading (SMT, aka hyperthreading)
available and enabled are vulnerable.

Only Intel Core based processors (from at least Merom onwards) are
potentially affected.  Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.

Only x86 HVM or PVH guests can exploit the vulnerability.  x86 PV guests
cannot exploit the vulnerability.

MITIGATION
==========

As discussed in XSA-273, disabling SMT / hyperthreading will avoid the
L1TF vulnerability.  It will therefore prevent the use of the
exploitable code patterns discussed in this advisory.  Disabling SMT
may be achieved via a BIOS option (preferred) or the "smt=0"
hypervisor command line option, or at runtime using `xen-hptool`, or by
using the xl global affinity masks.

CREDITS
=======

This issue was discovered by Norbert Manthey, Julian Stecklina, and
Pawel Wieczorkiewicz of the Xen Security Team at Amazon.

RESOLUTION
==========

These are hardware bugs, so technically speaking they cannot be
properly fixed in software.

See XSA-273 and XSA-254 for a fuller discussion of the general
situation, background, etc.

TECHNICAL DETAILS
=================

For the specific technical details of the now-known-explitable code
patterns, please see the attached patches.

These patches are intended by their authors to mitigate these
vulnerabilities.  In some form they are likely to be included in
future Xen releases.  We very much welcome this contribution to the
Xen community's response to Spectre/L1TF.

However:

 * These patches have not been validated by the Xen Project
   Security Team.  Work is ongoing.

 * We expect that there may be other exploitable code patterns and
   gadgets, similar to but beyond those disclosed here.

 * Should further such exploitable code patterns be discovered, we
   will not necessarily issue a further advisory, or update this
   advisory.  Instead, we would usually recommend that any
   improvements to reduce the exploitability be handled in public, in
   accordance with the public status of the underlying vulnerabilities
   XSA-273 and XSA-254.

 * We therefore do not recommend responding to this advisory by
   applying these patches.  Instead, we recommend using hardware
   without this bug, or failing that, disabling hyperthreading (SMT)
   as discussed in XSA-273.

$ sha256sum xsa289*/*
fb58117afd3d69b2bc67001b759bcb8b27d5eddf14bb69596e01b5735a46fc83  xsa289/0000-Cover-Letter.txt
8051f6ac3f945d80368e745fff9568688a5f3ec3d34e88e1f965fe74853a60ac  xsa289/0001-lfence-add-function-that-returns-int.patch
bc0a26533d56fff11081661546c0b0c0bf3b216dc18b72944dfeef36adb254d4  xsa289/0002-is_hvm-pv_domain-block-speculation.patch
ffb445c40064c65b167b5badbb73bf5e00689494a11269684a5e432c96bb5d74  xsa289/0003-is_control_domain-block-speculation.patch
2952ac3f46256a85670b18a3d100d2fc6429fa98bb07dd55abe7ee939f30cb3e  xsa289/0004-x86-hvm-block-speculative-accesses.patch
c73ceacd649ebc4bc054e6e181283c1c58e3bed3e1d1309e5780e5efbd85461a  xsa289/0005-nospec-introduce-method-for-static-arrays.patch
52af8d264e770055d1e3937de0e2ebca408f2a7ec6b8d4fd67270594e2fa17e7  xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch
6beb965c15b36cc81ba756202f046e5757f6c69b0983abd98e51710b03c9851b  xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch
e48aaee8cf62ee7fc5df9fd07e2b687e53a8e056001d4e6434525ac68346ee18  xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch
8f4fad87aff662901d848add571f5e3d0c08de444cc514391f6f4a133eff14b5  xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch
43e61e91318c44a56f954c058ce85616df46e5ca424fcad066e631c16add2956  xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch
394cdb4c7e15cc2cbaa383b724707a8a87f9e19f729561fd3cf02c3551003911  xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch
54a3f85f887b9ce596b5908a62e3efff76c79502941b71fd520a4170299e21c0  xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch
e87a89f333873a3b96318adfdd5fde8317b3a2062e7f330fc5398e0e5eade213  xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch
94957ed06308e9af120373be6807fd3b044de8a35b7088c10c78b496596664f2  xsa289/detect-spectre-candidates.sh
8569b7be345e01365ea4ecdd22ed00b21343d4234d83f5ce4bb11191c918354e  xsa289/sorted-gadgets.txt
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlxGAjMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7MUH/RUVelZ4yX8+2V/fpU02toqDnc0GhxNWepxpcOJ4
ma8U0i1nAwCyAFUAsn5K/pLn4dldyt8P+YdO9oDxasTuDTXo/Ussn/i5JkzpIaWX
dspy7lfOOduxEiqNLJ6VilAQs742sOUmQiVA6P+ZQUvMjaHtpT9qWBLaHD4C56TQ
UaHl14Iog6RbWIFikAme57iEyQ4QlCI9lEvGEYLF9FTyezsZZp+RFsszmDGa7hWo
UfHdKsxmC9RohRjM59nPjU7ZgUrTnbWkn4ShXLMZnDvj1MPtC9QxLXQgGIBST8ET
FrXMRRdg1fcUk6m0FMHhPx83gs/eWz5He+4qC/QZhfZDTfw=
=/mfS
-----END PGP SIGNATURE-----

Xenproject.org Security Team