Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 08 Aug 2023 17:00:22 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 434 v1 (CVE-2023-20569) - x86/AMD:
 Speculative Return Stack Overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-20569 / XSA-434

               x86/AMD: Speculative Return Stack Overflow

ISSUE DESCRIPTION
=================

Researchers from ETH Zurich have extended their prior research (XSA-422,
Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION,
also know as RAS (Return Address Stack) Poisoning, and Speculative
Return Stack Overflow.

The RAS is updated when a CALL instruction is predicted, rather than at
a later point in the pipeline.  However, the RAS is still fundamentally
a circular stack.

It is possible to poison the branch type and target predictions such
that, at a point of the attackers choosing, the branch predictor
predicts enough CALLs back-to-back to wrap around the entire RAS and
overwrite a correct return prediction with one of the attackers
choosing.

This allows the attacker to control RET speculation in a victim context,
and leak arbitrary data as a result.

For more details, see:
  https://comsec.ethz.ch/inception
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005

IMPACT
======

An attacker might be able to infer the contents of memory belonging to
other guests.

VULNERABLE SYSTEMS
==================

Only CPUs from AMD are believed to be potentially vulnerable.  CPUs from
other manufacturers are not believed to be impacted.

At the time of writing, all in-support AMD CPUs (that is, Zen1 thru Zen4
microarchitectures) are believed to be potentially vulnerable.  Older
CPUs have not been analysed.

By default following XSA-422, Xen mitigates BTC on AMD Zen2 and older
CPUs by issuing an IBPB on entry to Xen.  On Zen2 and older CPUs, this
is believed to be sufficient to protect against SRSO too.

AMD Zen3 and Zen4 CPUs are susceptible to SRSO too.  All versions of Xen
are vulnerable on these CPUs.

MITIGATION
==========

On Zen3 and Zen4, there is no mitigation.

RESOLUTION
==========

AMD are producing microcode updates for Zen3 and Zen4.  Consult your
dom0 OS vendor.

With the microcode update applied, booting Xen with
`spec-ctrl=ibpb-entry` is sufficient to protect against SRSO.

The appropriate set of patches will default to using IBPB-on-entry on
Zen3 and Zen4 CPUs, as well as synthesise new CPUID bits for guests to
use in order to determine their susceptibility in a migration-safe way.

The patches for this issue interact texturally but not logically with
the fixes for XSA-435, which itself has complexities.  See XSA-435 for
details of how to obtain the fixes.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmTSZOsMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ8uMIAL2xBV/B3O0t90aFhX75dOWZBUkujMN0xHDjyI+c
lnEmy44QnX+jI9IBSuc4qaJmLXnUO71WsMU1XeKucOnh9E1kjgHB2H0GgS+GI6dG
LtAVxn+RRK39YIO0CHAXvr/tlX/eyodvxtmxOKLRY47J0hHLToXBEdc2VfXrUEfk
8AZn4hhHDGfRMX7jguxPFnrKCS3sZCFn1FYPtUxNGi2BbUzFacc+zZ2OISR7C59H
24q9UIgUVoVwOnUWBEzW6oHmjP44Q0kG3E8LhZQhr1YkAG++KapgTPllc3cU4xja
G8ozTeMeyVbM29EMS7QknOlkvMSUmtgzNg7Pt6El9oSyuH4=
=rrcN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.