Bug 928620 (CVE-2023-28746, CVE-2023-46841, CVE-2024-2193, XSA-451, XSA-452, XSA-453)

Summary:	<app-emulation/xen-4.17.4_pre2: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Tomáš Mózes <hydrapolic>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hydrapolic, proxy-maint, xen
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/36114
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	928665
Bug Blocks:

Description Tomáš Mózes 2024-04-05 07:05:41 UTC

https://xenbits.xen.org/xsa/advisory-451.html

x86: shadow stack vs exceptions from emulation stubs

Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called "shadow stacks",
holding little more than return addresses.  Shadow stacks aren't
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.

In particular certain memory accesses need intercepting by Xen.  In
various cases the necessary emulation involves kind of replaying of
the instruction.  Such replaying typically involves filling and then
invoking of a stub.  Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.

Unfortunately the interaction of both of the above wasn't right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.


https://xenbits.xen.org/xsa/advisory-452.html

x86: Register File Data Sampling

Intel have disclosed RFDS, Register File Data Sampling, affecting some
Atom cores.

This came from internal validation work.  There is no information
provided about how an attacker might go about inferring data from the
register files.

https://xenbits.xen.org/xsa/advisory-453.html

GhostRace: Speculative Race Conditions

Researchers at VU Amsterdam and IBM Research have discovered GhostRace;
an analysis of the behaviour of synchronisation primitives under
speculative execution.

Synchronisation primitives are typically formed as an unbounded loop
which waits until a resource is available to be accessed.  This means
there is a conditional branch which can be microarchitecturally bypassed
using Spectre-v1 techniques, allowing an attacker to speculatively
execute critical regions.

Therefore, while a critical region might be safe architecturally, it can
still suffer from data races under speculation with unsafe consequences.

The GhostRace paper focuses on Speculative Concurrent Use-After-Free
issues, but notes that there are many other types of speculative data
hazard to be explored.

Comment 1 Larry the Git Cow gentoo-dev

2024-04-05 15:59:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc44fdfb57631d91873825fd0a3412bd813b6780

commit dc44fdfb57631d91873825fd0a3412bd813b6780
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-05 07:57:33 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-05 15:59:39 +0000

    app-emulation/xen: add 4.17.4_pre2
    
    Fixes XSA-451, XSA-452, XSA-453
    
    Bug: https://bugs.gentoo.org/928620
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   1 +
 app-emulation/xen/xen-4.17.4_pre2.ebuild | 179 +++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c12cea4a6ddfbad3a990e594ce72f8cfa034b168

commit c12cea4a6ddfbad3a990e594ce72f8cfa034b168
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-05 07:55:53 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-05 15:59:38 +0000

    app-emulation/xen-tools: add 4.17.4_pre2
    
    Fixes XSA-451, XSA-452, XSA-453
    
    Bug: https://bugs.gentoo.org/928620
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                   |   2 +
 .../xen-tools/xen-tools-4.17.4_pre2.ebuild         | 524 +++++++++++++++++++++
 2 files changed, 526 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-09-22 06:42:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf

commit ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:41:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:42:08 +0000

    [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Bug: https://bugs.gentoo.org/923741
    Bug: https://bugs.gentoo.org/928620
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-10.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)