Information
| Advisory | XSA-469 |
|---|
| Public release | 2025-05-12 17:04 |
|---|
| Updated | 2025-05-12 17:14 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2024-28956 |
|---|
| Title | x86: Indirect Target Selection |
|---|
Files
advisory-469.txt (signed advisory file)
xsa469/xsa469-01.patch
xsa469/xsa469-02.patch
xsa469/xsa469-03.patch
xsa469/xsa469-4.17-01.patch
xsa469/xsa469-4.17-02.patch
xsa469/xsa469-4.17-03.patch
xsa469/xsa469-4.17-04.patch
xsa469/xsa469-4.17-05.patch
xsa469/xsa469-4.17-06.patch
xsa469/xsa469-4.17-07.patch
xsa469/xsa469-4.18-01.patch
xsa469/xsa469-4.18-02.patch
xsa469/xsa469-4.18-03.patch
xsa469/xsa469-4.18-04.patch
xsa469/xsa469-4.18-05.patch
xsa469/xsa469-4.18-06.patch
xsa469/xsa469-4.18-07.patch
xsa469/xsa469-4.19-01.patch
xsa469/xsa469-4.19-02.patch
xsa469/xsa469-4.19-03.patch
xsa469/xsa469-4.19-04.patch
xsa469/xsa469-4.19-05.patch
xsa469/xsa469-4.19-06.patch
xsa469/xsa469-4.19-07.patch
xsa469/xsa469-4.20-01.patch
xsa469/xsa469-4.20-02.patch
xsa469/xsa469-4.20-03.patch
xsa469/xsa469-4.20-04.patch
xsa469/xsa469-4.20-05.patch
xsa469/xsa469-4.20-06.patch
xsa469/xsa469-4.20-07.patch
xsa469/xsa469-04.patch
xsa469/xsa469-05.patch
xsa469/xsa469-06.patch
xsa469/xsa469-07.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2024-28956 / XSA-469
version 2
x86: Indirect Target Selection
UPDATES IN VERSION 2
====================
State the CVE.
ISSUE DESCRIPTION
=================
Researchers at VU Amsterdam have released Training Solo, detailing
several speculative attacks which bypass current protections.
One issue, which Intel have named Indirect Target Selection, is a bug in
the hardware support for prediction-domain isolation. The mitigation
for this involves both microcode and software changes in Xen.
For more details, see:
https://vusec.net/projects/training-solo
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html
Another issue discussed in the Training Solo paper pertains to
classic-BPF. Xen does not have any capability similar to BPF filters,
so is not believed to be affected by this issue.
IMPACT
======
An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
==================
Systems running all versions of Xen are affected.
Only Intel x86 CPUs are potentially affected. CPUs from other
manufacturers are not known to be affected.
The affected Intel CPUs are believed to be those which have eIBRS
(hardware Spectre-v2 mitigations, starting with Cascade Lake) up to but
not including those which have BHI_CTRL (Alder Lake and Sapphire
Rapids). See the Intel whitepaper for full details.
MITIGATION
==========
There are no mitigations.
RESOLUTION
==========
Intel are producing microcode to address part of this issue, by
extending IBPB. This was released in IPU 2025.1 (February 2025).
Consult your dom0 OS vendor and/or hardware vendor for updated
microcode.
In addition to the microcode, changes are required to Xen to address the
other part of the issue. These involve recompiling Xen using Return
Thunks (-mfunction-return). Support for Return Thunks is available in
GCC 8 and Clang 15. Therefore, the Xen patches further rely on a
toolchain at least this new.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa469/xsa469-??.patch xen-unstable
xsa469/xsa469-4.20-??.patch Xen 4.20.x
xsa469/xsa469-4.19-??.patch Xen 4.19.x
xsa469/xsa469-4.18-??.patch Xen 4.18.x
xsa469/xsa469-4.17-??.patch Xen 4.17.x
$ sha256sum xsa469*/*
24648f43282a4c4917f49a828f0889139ffd08710884c2d5d2a149213f889316 xsa469/xsa469-01.patch
f9e1e999e5121b71263ccac9e5dbc7f2422751cd8776526b59a3a535245ee271 xsa469/xsa469-02.patch
3aebd84d8c9374e8db4f28a1bd0265ff46d60a142e8cc983c0eae99a3caa4459 xsa469/xsa469-03.patch
1f836801a543d00a4e79daff0438932c7d7b5e9ee76dead124d290e805adc0f2 xsa469/xsa469-4.17-01.patch
aaa7b6967b3ff8b279675edafbccff4e1882202251e8f37c1aaab8e16f4ca8c9 xsa469/xsa469-4.17-02.patch
cf9a224628f218a7afdf7a275da270b8f469342133d3239c19a8b05adb8d9d9e xsa469/xsa469-4.17-03.patch
5179885f9452f932b9829e942a6942d7a1bba6820c383b0e0ac7ade34f6f444c xsa469/xsa469-4.17-04.patch
7d44272960d7ecdc920a14eb19c686c6808fe980bb85c3a467b5e343f137d927 xsa469/xsa469-4.17-05.patch
3984f20f3b84a579a4828da8c60268f55f1ff2dfc030d1790efb52a6ad659cd9 xsa469/xsa469-4.17-06.patch
8ec20c0943def1764c858c76699991aa0b7af76a8773be8219d62c240cf0b294 xsa469/xsa469-4.17-07.patch
00943be479ac428a496dec248c33e9ae9a0002e437a50c46a43d15146ddcccd8 xsa469/xsa469-4.18-01.patch
b5e9ab3ba33c7a5ad2948521a71d73b8e587d4b86fb73b3ce06557343753b097 xsa469/xsa469-4.18-02.patch
cf9a224628f218a7afdf7a275da270b8f469342133d3239c19a8b05adb8d9d9e xsa469/xsa469-4.18-03.patch
5179885f9452f932b9829e942a6942d7a1bba6820c383b0e0ac7ade34f6f444c xsa469/xsa469-4.18-04.patch
d7271118c516ea2b57b82afbaa67e44ebc0bee9067925850671a47ba7e6916fc xsa469/xsa469-4.18-05.patch
99aa42f3b4d492c21d3027f74abe20183cdd411fdf94d62c10c423e6516db5aa xsa469/xsa469-4.18-06.patch
893e3b721fe00623a8d75414f40f11033a4a3999d368a141eec8652d9733a77e xsa469/xsa469-4.18-07.patch
a5a958452c4b3adc820692349103892ec3ffc3195c9b4e1fc55547d2ec7aec57 xsa469/xsa469-4.19-01.patch
2f3a3dadc69026ffa0a093ae34c239023e2336b3f9ec90a1ddc5df7b103c158c xsa469/xsa469-4.19-02.patch
3aebd84d8c9374e8db4f28a1bd0265ff46d60a142e8cc983c0eae99a3caa4459 xsa469/xsa469-4.19-03.patch
bbdb2fcda3d2fe36ceaaf235700158f5a4f08c8983732265725cc7ac811c9bd2 xsa469/xsa469-4.19-04.patch
fd01af8b8cc66b6a1f0e2a7383b4c320cbb1513b7f23a7bd84fbb3e626751122 xsa469/xsa469-4.19-05.patch
1ed51e005c7f07a99793bfc97680bc02e8661412d88a853594f40a02599e03c2 xsa469/xsa469-4.19-06.patch
4dda661661f23b48f62caeaadd1b02ef79b2d7b08e61ab44c2eacdd2171f63b8 xsa469/xsa469-4.19-07.patch
27ce09ab9bb9460bec08761b2f739ce5adb292dc13664dfa425e42e5b8db8731 xsa469/xsa469-4.20-01.patch
f9e1e999e5121b71263ccac9e5dbc7f2422751cd8776526b59a3a535245ee271 xsa469/xsa469-4.20-02.patch
3aebd84d8c9374e8db4f28a1bd0265ff46d60a142e8cc983c0eae99a3caa4459 xsa469/xsa469-4.20-03.patch
bbdb2fcda3d2fe36ceaaf235700158f5a4f08c8983732265725cc7ac811c9bd2 xsa469/xsa469-4.20-04.patch
656031e56bbf8c8d0e8bd294c1e8857dd80850ae3cc68efbf42564f2b9efdb1f xsa469/xsa469-4.20-05.patch
3343a834e0931b56490a50cc9fc7488a13a98a00923e4399020f628b3aab0220 xsa469/xsa469-4.20-06.patch
465d916cac02bb4ae1edf9db34fe5d2426ac1681a1078d331fbdf449834692c4 xsa469/xsa469-4.20-07.patch
97335c870407928039464307611c0b9687fd7cdfde5124ec5441a4fddfaa4165 xsa469/xsa469-04.patch
226771d9359b3c341c0978a145c29478d4c6ca196ec67d48c3df6115aee27940 xsa469/xsa469-05.patch
17eae8965871975569be4228943d5136eb65951d9c9513d2b0fe743e8cf8e4ef xsa469/xsa469-06.patch
fa8b7ed035e242a3881431150ee86965f26520dab4432e3f7ac9862063491f72 xsa469/xsa469-07.patch
$
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmgiLJAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7uUIAIrV83bfhcHAnZvWo5CGOtuyuwQQuobYKqUcC3fq
/LGKVwmrQVCR6qm2YeI8TIhJfet8OiqutteaVknAJlegVR8uTIznIr7CzjmzgoR5
ojnw0Ae0rQ5rhzSeMvBD1VsbheBI7nmLR9dorMs+Rp9MiVzboT81XOpWDTMHisjI
4LpN+TB+yIB76hQQ4divDnqFKxA1SFQWrmn2bcr3v5cJ1cctvLOic/67WO9Uto92
5tG7iV68cStski0wMvjO1isalCTKSaU7eDjTe1ar+/SwhE4T0RKfcpim3xcc5ZVk
cH/xKcK4vbJUKIxjqnDrEdT3uGk1vdVxJfNAOCpfZc5EwiI=
=A2YZ
-----END PGP SIGNATURE-----
Xenproject.org Security Team