Information

Advisory XSA-312
Public release 2020-01-14 14:20
Updated 2020-01-14 14:20
Version 1
CVE(s) none (yet) assigned
Title arm: a CPU may speculate past the ERET instruction

Files

advisory-312.txt (signed advisory file)
xsa312.meta
xsa312.patch
xsa312-4.9.patch
xsa312-4.11.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-312

          arm: a CPU may speculate past the ERET instruction

ISSUE DESCRIPTION
=================

Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by lower privilege level
(i.e guest kernel/userspace) at the point of the ERET, this could
potentially be used as part of a side-channel attack.

IMPACT
======

An attacker, which could include a malicious untrusted user process on
a trusted guest, or an untrusted guest, may be able to use it as part of
side-channel attack to read host memory.

VULNERABLE SYSTEMS
==================

System running all version of Xen are affected.

Whether an individual Arm-based CPU is vulnerable depends on its
speculation properties.  Consult your CPU vendor.

x86 systems are not vulnerable.

MITIGATION
==========

There is no mitigation available.

NOTE REGARDING LACK OF EMBARGO
==============================

This was reported publicly, as affecting other Open Source projects,
before the Xen Project Security Team was made aware.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa312.patch           xen-unstable, Xen 4.13 - 4.12
xsa312-4.11.patch      Xen 4.11 - 4.10
xsa312-4.9.patch       Xen 4.9

$ sha256sum xsa312*
112c9d77f964174db5709c758626a2bd5fec9bfdacc89fbc96f1ddd44aca6bbf  xsa312.meta
9b2078d448e4815c9ddc6554bf869d64412dc787b1b94830a24e47df6a9f30e7  xsa312.patch
29b95d6ea0295e124c3cfd5b1611ae341bb195d1c441ee69976e2f74cde652a8  xsa312-4.9.patch
8d64b3039c570f4b5c82abbbcf2714ec3b60db55fe3e1b3bb838df7dfaf627e9  xsa312-4.11.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl4dzjAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZOx4H/2nt+377yBhbqNqUO2nCbqUWBkCB/OHQQ3uyjytp
PEDW9epevCJHOvQ3w24gh9SplWupHvrzS2PbqCWwEMPZXfkYB6Ye2kr7hbJHMOxB
bP6qm71plWG/RGmKSTVeVbOqAtiwdXkIvE8PIETGSuQ3Ip8exIkWvXnkY3v7KQne
WIg+vcadAqvv9oZj8UAv+V6oihUr1MyOMaddsW0QczF1yhs7EErpSBrLT1G2+nm/
MxY8nE40rAzZBs+G1puODC8uK/LSmGlvms+200FOPHnyyIKmznmAtGLE7pziPj7F
Qdy4GOWLAE1oQcrglmdk6SOCK7CRJSSZ0RminYNNPSX6EqM=
=FnmX
-----END PGP SIGNATURE-----

Xenproject.org Security Team