-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407 Retbleed - arbitrary speculative code execution with return instructions ISSUE DESCRIPTION ================= Researchers at ETH Zurich have discovered Retbleed, allowing for arbitrary speculative execution in a victim context. For more details, see: https://comsec.ethz.ch/retbleed ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for Intel. Despite the similar preconditions, these are very different microarchitectural behaviours between vendors. On AMD CPUs, Retbleed is one specific instance of a more general microarchitectural behaviour called Branch Type Confusion. AMD have assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type Confusion). For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 On Intel CPUs, Retbleed is not a new vulnerability; it is only applicable to software which did not follow Intel's original Spectre-v2 guidance. Intel are using the ETH Zurich allocated CVE-2022-29901. For more details, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html ARM have indicated existing guidance on Spectre-v2 is sufficient. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor. For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults in XSA-254 and follow-on fixes. Therefore, the Xen Security Team believes there are no further changes necessary on these CPUs. Administrators who deviated from the default mitigations are potentially affected and should re-evaluate their threat model. For AMD, CPUs from the Zen2 microarchitecture and earlier are potentially vulnerable. Zen3 and later CPUs are not believed to be vulnerable. The patches for Xen implement the IBPB-at-entry mitigation. This depends on the IBPB microcode distributed by AMD in 2018 as part of the original Spectre/Meltdown work. Consult your dom0 OS vendor. In addition to IBPB, "cross thread" safety is necessary. On Zen2 CPUs, Xen uses STIBP by default. On Zen1 CPUs, SMT needs disabling either in the firmware, or by passing `smt=0` on Xen's command line. On Fam15h CPUs, Cluster Multi-Threading needs disabling in firmware. Due to performance concerns, dom0 is excluded from IBPB-on-entry protections by default. This is because PV dom0 is trusted in most deployments. If your threat model model doesn't allow for dom0 to be treated specially, boot with `spec-ctrl=ibpb-entry` which will cause IBPB-on-entry protections to be applied to dom0 too. MITIGATION ========== There are no mitigations. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. For the 4.15 and 4.16 branches in particular, these patches depend on: - x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with legacy IBRS - x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint - xen/cmdline: Extend parse_boolean() to signal a name match - x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives which have been recently backported. xsa407/xsa407-?.patch xen-unstable xsa407/xsa407-4.16-*.patch Xen 4.16.x xsa407/xsa407-4.15-*.patch Xen 4.15.x xsa407/xsa407-4.14-*.patch Xen 4.14.x xsa407/xsa407-4.13-*.patch Xen 4.13.x $ sha256sum xsa407* xsa407*/* 0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1 xsa407.meta 8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc xsa407/xsa407-1.patch 5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f xsa407/xsa407-2.patch 1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013 xsa407/xsa407-3.patch 8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e xsa407/xsa407-4.13-01.patch fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946 xsa407/xsa407-4.13-02.patch 9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27 xsa407/xsa407-4.13-03.patch 1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd xsa407/xsa407-4.13-04.patch 016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008 xsa407/xsa407-4.13-05.patch cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a xsa407/xsa407-4.13-06.patch 46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93 xsa407/xsa407-4.13-07.patch cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a xsa407/xsa407-4.13-08.patch 55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc xsa407/xsa407-4.13-09.patch f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f xsa407/xsa407-4.13-10.patch aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191 xsa407/xsa407-4.13-11.patch e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf xsa407/xsa407-4.13-12.patch 59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927 xsa407/xsa407-4.13-13.patch ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0 xsa407/xsa407-4.13-14.patch d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1 xsa407/xsa407-4.13-15.patch af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f xsa407/xsa407-4.13-16.patch 8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501 xsa407/xsa407-4.13-17.patch 1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9 xsa407/xsa407-4.13-18.patch a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde xsa407/xsa407-4.13-19.patch cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a xsa407/xsa407-4.13-20.patch 0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c xsa407/xsa407-4.13-21.patch fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4 xsa407/xsa407-4.14-01.patch e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2 xsa407/xsa407-4.14-02.patch 69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf xsa407/xsa407-4.14-03.patch 47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759 xsa407/xsa407-4.14-04.patch 14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8 xsa407/xsa407-4.14-05.patch cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1 xsa407/xsa407-4.14-06.patch 85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a xsa407/xsa407-4.14-07.patch 0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82 xsa407/xsa407-4.14-08.patch 1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd xsa407/xsa407-4.14-09.patch 4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d xsa407/xsa407-4.14-10.patch 074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55 xsa407/xsa407-4.14-11.patch e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949 xsa407/xsa407-4.14-12.patch 61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a xsa407/xsa407-4.15-1.patch cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1 xsa407/xsa407-4.15-2.patch 03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511 xsa407/xsa407-4.15-3.patch ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600 xsa407/xsa407-4.15-4.patch aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a xsa407/xsa407-4.15-5.patch 55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64 xsa407/xsa407-4.15-6.patch a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17 xsa407/xsa407-4.15-7.patch ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab xsa407/xsa407-4.15-8.patch 3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe xsa407/xsa407-4.16-1.patch b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522 xsa407/xsa407-4.16-2.patch 825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76 xsa407/xsa407-4.16-3.patch 402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860 xsa407/xsa407-4.16-4.patch ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf xsa407/xsa407-4.16-5.patch 4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e xsa407/xsa407-4.16-6.patch 1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7 xsa407/xsa407-4.16-7.patch d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de xsa407/xsa407-4.16-8.patch c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c xsa407/xsa407-4.patch eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4 xsa407/xsa407-5.patch aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72 xsa407/xsa407-6.patch cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6 xsa407/xsa407-7.patch cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3 xsa407/xsa407-8.patch $ NOTE CONCERNING LACK OF EMBARGO =============================== The disclosers did not authorise us to predisclose. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1 87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc= =CEa6 -----END PGP SIGNATURE-----