https://xenbits.xen.org/xsa/advisory-451.html x86: shadow stack vs exceptions from emulation stubs Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. https://xenbits.xen.org/xsa/advisory-452.html x86: Register File Data Sampling Intel have disclosed RFDS, Register File Data Sampling, affecting some Atom cores. This came from internal validation work. There is no information provided about how an attacker might go about inferring data from the register files. https://xenbits.xen.org/xsa/advisory-453.html GhostRace: Speculative Race Conditions Researchers at VU Amsterdam and IBM Research have discovered GhostRace; an analysis of the behaviour of synchronisation primitives under speculative execution. Synchronisation primitives are typically formed as an unbounded loop which waits until a resource is available to be accessed. This means there is a conditional branch which can be microarchitecturally bypassed using Spectre-v1 techniques, allowing an attacker to speculatively execute critical regions. Therefore, while a critical region might be safe architecturally, it can still suffer from data races under speculation with unsafe consequences. The GhostRace paper focuses on Speculative Concurrent Use-After-Free issues, but notes that there are many other types of speculative data hazard to be explored.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc44fdfb57631d91873825fd0a3412bd813b6780 commit dc44fdfb57631d91873825fd0a3412bd813b6780 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2024-04-05 07:57:33 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2024-04-05 15:59:39 +0000 app-emulation/xen: add 4.17.4_pre2 Fixes XSA-451, XSA-452, XSA-453 Bug: https://bugs.gentoo.org/928620 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Florian Schmaus <flow@gentoo.org> app-emulation/xen/Manifest | 1 + app-emulation/xen/xen-4.17.4_pre2.ebuild | 179 +++++++++++++++++++++++++++++++ 2 files changed, 180 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c12cea4a6ddfbad3a990e594ce72f8cfa034b168 commit c12cea4a6ddfbad3a990e594ce72f8cfa034b168 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2024-04-05 07:55:53 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2024-04-05 15:59:38 +0000 app-emulation/xen-tools: add 4.17.4_pre2 Fixes XSA-451, XSA-452, XSA-453 Bug: https://bugs.gentoo.org/928620 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Florian Schmaus <flow@gentoo.org> app-emulation/xen-tools/Manifest | 2 + .../xen-tools/xen-tools-4.17.4_pre2.ebuild | 524 +++++++++++++++++++++ 2 files changed, 526 insertions(+)
