Information

AdvisoryXSA-452
Public release 2024-03-12 16:44
Updated 2024-03-12 16:44
Version 1
CVE(s) CVE-2023-28746
Title x86: Register File Data Sampling

Files

advisory-452.txt (signed advisory file)
xsa452/xsa452-1.patch
xsa452/xsa452-2.patch
xsa452/xsa452-3.patch
xsa452/xsa452-4.15-1.patch
xsa452/xsa452-4.15-2.patch
xsa452/xsa452-4.15-3.patch
xsa452/xsa452-4.15-4.patch
xsa452/xsa452-4.15-5.patch
xsa452/xsa452-4.15-6.patch
xsa452/xsa452-4.15-7.patch
xsa452/xsa452-4.16-1.patch
xsa452/xsa452-4.16-2.patch
xsa452/xsa452-4.16-3.patch
xsa452/xsa452-4.16-4.patch
xsa452/xsa452-4.16-5.patch
xsa452/xsa452-4.16-6.patch
xsa452/xsa452-4.16-7.patch
xsa452/xsa452-4.17-1.patch
xsa452/xsa452-4.17-2.patch
xsa452/xsa452-4.17-3.patch
xsa452/xsa452-4.17-4.patch
xsa452/xsa452-4.17-5.patch
xsa452/xsa452-4.17-6.patch
xsa452/xsa452-4.17-7.patch
xsa452/xsa452-4.18-1.patch
xsa452/xsa452-4.18-2.patch
xsa452/xsa452-4.18-3.patch
xsa452/xsa452-4.18-4.patch
xsa452/xsa452-4.18-5.patch
xsa452/xsa452-4.18-6.patch
xsa452/xsa452-4.18-7.patch
xsa452/xsa452-4.patch
xsa452/xsa452-5.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-28746 / XSA-452

                   x86: Register File Data Sampling

ISSUE DESCRIPTION
=================

Intel have disclosed RFDS, Register File Data Sampling, affecting some
Atom cores.

This came from internal validation work.  There is no information
provided about how an attacker might go about inferring data from the
register files.

For more details, see:
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html

IMPACT
======

An attacker might be able to infer the contents of data held previously
in floating point, vector and/or integer register files on the same
logical processor, including data from a more privileged context.

Note: None of the vulnerable processors support HyperThreading, so there
      is no instantaneous exposure of data from other threads.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

RFDS is only known to affect certain Atom processors from Intel.  Other
Intel CPUs, and CPUs from other hardware vendors are not known to be
affected.

RFDS affects Atom processors between the Goldmont and Gracemont
microarchitectures.  This includes Alder Lake and Raptor Lake hybrid
client systems which have a mix of Gracemont and other types of cores.

MITIGATION
==========

There is no mitigation.

RESOLUTION
==========

Intel are producing microcode update to address the issue for in-support
CPUs.  This is done by extending the VERW instruction with more
scrubbing side effects.  Consult your dom0 OS vendor and/or hardware
vendor for updated microcode.

In addition to the microcode, changes are required in Xen to reposition
the VERW scrubbing and to activate it when necessary, as well as to
inform guest kernels of when the extra side effect is present and/or
when the system is believed to be not vulnerable.  The appropriate set
of patches does this.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa452/xsa452-?.patch           xen-unstable
xsa452/xsa452-4.18-?.patch      Xen 4.18.x
xsa452/xsa452-4.17-?.patch      Xen 4.17.x
xsa452/xsa452-4.16-?.patch      Xen 4.16.x
xsa452/xsa452-4.15-?.patch      Xen 4.15.x

$ sha256sum xsa452*/*
9365456e85fc04947206075cdfe4a805c3d628d7c1f5b8020785d8fd84c93aa9  xsa452/xsa452-1.patch
89ce3001975352a1321dc1577d9d14273e6b383080900881603339e5a860e1fd  xsa452/xsa452-2.patch
775a2d57b7aa8e2522cce61b1ddebd267e36218ecdcc0f678db7ed0ed1f54c21  xsa452/xsa452-3.patch
0e56da437f3ea30b97f79fa1d247561815625e152c963dd504f11082863eaa32  xsa452/xsa452-4.15-1.patch
184f2fe90b614e3e5c7056669ea6c829242058f5c00407a3db1e34bcd4fb4aed  xsa452/xsa452-4.15-2.patch
237e9aa65122ef4a18f57e44f6841a80e967deac90e251ce629cba6ea2f66030  xsa452/xsa452-4.15-3.patch
59d5ec14b784b6c4f9ce2bb6258cb91ee6233fc01761f27c655f4582bdeb6830  xsa452/xsa452-4.15-4.patch
946a8d80f7c11a03a26a045eb2ba4e03be7e739f04df72e5e1f67279e374136e  xsa452/xsa452-4.15-5.patch
6eba7f56a67a101c39e2345b53530a4036b2fad50f4b745e39f8da1d0bffcbd5  xsa452/xsa452-4.15-6.patch
326571a214f358787bc4af8c71d96ae6455a9da80da4d43358af282eebb51e4d  xsa452/xsa452-4.15-7.patch
5aca7cf8ca97dd735769fc4c154dab576461da7ec1838ad152e90ceebb5af60d  xsa452/xsa452-4.16-1.patch
c7167c270a28cb639a9b94b898e656123767c21d0951fe48404bbbcf7d2be151  xsa452/xsa452-4.16-2.patch
55d61becc38663c6756baceb919645bc2cb4794b517cd067f9b452822fe11ecf  xsa452/xsa452-4.16-3.patch
6e7a93935d1a4df2dea5d9a6542127feb5d662b33cc766587a713746e4992841  xsa452/xsa452-4.16-4.patch
ee4bbf1988a05cc00c51512d5f258d310f3d5f21d23094d4a7b9ca3cf55ffcde  xsa452/xsa452-4.16-5.patch
f44dc3d957eca731834d13c1b7bf31cadfee5c4d354dbdb1e6aa317063c26420  xsa452/xsa452-4.16-6.patch
520188698c87ebfd42457b8f22d62e20e715d1bf28bfe43f93fbac4479485b15  xsa452/xsa452-4.16-7.patch
5ee4fffcb0418d34ec03605cf507d7c24d82355716fde250d3fd01308c40b29f  xsa452/xsa452-4.17-1.patch
a4081d6329c9ba7dd95b2f693ef6cfa61ef3a6148b0e4279f2cc8648be98b1ca  xsa452/xsa452-4.17-2.patch
bd6364569bb1d2841df6e9dad2d0c0d859b5cab5046141ba6c54a53ab7cbef76  xsa452/xsa452-4.17-3.patch
9c7aedd1a4f1e3dab344dd4ac0438de3ab25079f6aaa8d2f1b384b8f6f2df770  xsa452/xsa452-4.17-4.patch
7886b2da37de7c8bb0ed1bd9e8f001dbc46aa8802152c315fa1141f76e09dc77  xsa452/xsa452-4.17-5.patch
01dd485e5b2130b85905187ef6351d2fb6514cefb0096db3f710bff4345b8c29  xsa452/xsa452-4.17-6.patch
f64109a3e0a2237cc4fabc94f680c96a82e71d037e9d263ee7782fef0895fa32  xsa452/xsa452-4.17-7.patch
2fa4d889fc193e4ddd46e570e8c37d59e89fd667db52afb912d692d2775b25d6  xsa452/xsa452-4.18-1.patch
a4081d6329c9ba7dd95b2f693ef6cfa61ef3a6148b0e4279f2cc8648be98b1ca  xsa452/xsa452-4.18-2.patch
d4f61f50c9c6c17888ae6a371a2bde95cfad92d4e72c5e3ca54638fb4cc6fcfa  xsa452/xsa452-4.18-3.patch
7922255f39744c75fa2e84c3971a27432b1f1f177ddb40647bdc753eacea412c  xsa452/xsa452-4.18-4.patch
b262adff116cb00c371b45cffffb111c4ca359490a27a69ad7482a1ae92ac173  xsa452/xsa452-4.18-5.patch
0c0830b81f60b5a5b4d6bd339410ab6f512276491d30881587361b9c9fb7d0ff  xsa452/xsa452-4.18-6.patch
4ab5a0106c4ffdf713ebd3059eccd07ae8589e0d8348413685ecf0ff7d7b2a05  xsa452/xsa452-4.18-7.patch
51c1561026f32415cf69a362cca33a14aa361f34ddce3785667d99d25e922488  xsa452/xsa452-4.patch
518da7d12c295851a1ae3a03cc28b290bc0e9dee4c4446d20d341c88c9908961  xsa452/xsa452-5.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmXwhmMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZfzUIALkcXm6t44EmYio/o6hUaxtx/V13QAANeTVss/V/
jRblCgWLw5hb39IToDmoDaX46fIxNDjAzT6GqOB/rnLHj9vNv15zVEsiAxgKPQXs
YQyYZQxKB/4kb24JG/KhPLBc1iQOXWmK9BmNdgHgOlC1fqXzYHInZsm69BZhs6Dk
nScFOeCaT/zvLybhehRioHFpNKkiFXSxZnIuj7IB9zkVrbS0YzZX9+H56Rs/VAuF
wTqoCdqSZ0F5KnWsXsnWCYfz3Sd/mTiT5qvFROPCqbfNClEnU7NzCd4Mz2/QVjJJ
LXhN/CrllJKWcpAcFW6Bx250uDC3/oSBfHNL/D+AsC/abcM=
=N4gH
-----END PGP SIGNATURE-----


Xenproject.org Security Team